1545d5ecaSDag-Erling Smørgrav.\" 2545d5ecaSDag-Erling Smørgrav.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4545d5ecaSDag-Erling Smørgrav.\" All rights reserved 5545d5ecaSDag-Erling Smørgrav.\" 6545d5ecaSDag-Erling Smørgrav.\" As far as I am concerned, the code I have written for this software 7545d5ecaSDag-Erling Smørgrav.\" can be used freely for any purpose. Any derived versions of this 8545d5ecaSDag-Erling Smørgrav.\" software must be clearly marked as such, and if the derived work is 9545d5ecaSDag-Erling Smørgrav.\" incompatible with the protocol description in the RFC file, it must be 10545d5ecaSDag-Erling Smørgrav.\" called by a name other than "ssh" or "Secure Shell". 11545d5ecaSDag-Erling Smørgrav.\" 12545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 13545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 14545d5ecaSDag-Erling Smørgrav.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 15545d5ecaSDag-Erling Smørgrav.\" 16545d5ecaSDag-Erling Smørgrav.\" Redistribution and use in source and binary forms, with or without 17545d5ecaSDag-Erling Smørgrav.\" modification, are permitted provided that the following conditions 18545d5ecaSDag-Erling Smørgrav.\" are met: 19545d5ecaSDag-Erling Smørgrav.\" 1. Redistributions of source code must retain the above copyright 20545d5ecaSDag-Erling Smørgrav.\" notice, this list of conditions and the following disclaimer. 21545d5ecaSDag-Erling Smørgrav.\" 2. Redistributions in binary form must reproduce the above copyright 22545d5ecaSDag-Erling Smørgrav.\" notice, this list of conditions and the following disclaimer in the 23545d5ecaSDag-Erling Smørgrav.\" documentation and/or other materials provided with the distribution. 24545d5ecaSDag-Erling Smørgrav.\" 25545d5ecaSDag-Erling Smørgrav.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26545d5ecaSDag-Erling Smørgrav.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27545d5ecaSDag-Erling Smørgrav.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28545d5ecaSDag-Erling Smørgrav.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29545d5ecaSDag-Erling Smørgrav.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30545d5ecaSDag-Erling Smørgrav.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31545d5ecaSDag-Erling Smørgrav.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32545d5ecaSDag-Erling Smørgrav.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33545d5ecaSDag-Erling Smørgrav.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34545d5ecaSDag-Erling Smørgrav.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35545d5ecaSDag-Erling Smørgrav.\" 36*f374ba41SEd Maste.\" $OpenBSD: sshd_config.5,v 1.347 2023/01/18 06:55:32 jmc Exp $ 37*f374ba41SEd Maste.Dd $Mdocdate: January 18 2023 $ 38545d5ecaSDag-Erling Smørgrav.Dt SSHD_CONFIG 5 39545d5ecaSDag-Erling Smørgrav.Os 40545d5ecaSDag-Erling Smørgrav.Sh NAME 41545d5ecaSDag-Erling Smørgrav.Nm sshd_config 4219261079SEd Maste.Nd OpenSSH daemon configuration file 43545d5ecaSDag-Erling Smørgrav.Sh DESCRIPTION 44333ee039SDag-Erling Smørgrav.Xr sshd 8 45545d5ecaSDag-Erling Smørgravreads configuration data from 46545d5ecaSDag-Erling Smørgrav.Pa /etc/ssh/sshd_config 47545d5ecaSDag-Erling Smørgrav(or the file specified with 48545d5ecaSDag-Erling Smørgrav.Fl f 49545d5ecaSDag-Erling Smørgravon the command line). 50545d5ecaSDag-Erling SmørgravThe file contains keyword-argument pairs, one per line. 5147dd1d1bSDag-Erling SmørgravFor each keyword, the first obtained value will be used. 52545d5ecaSDag-Erling SmørgravLines starting with 53545d5ecaSDag-Erling Smørgrav.Ql # 54545d5ecaSDag-Erling Smørgravand empty lines are interpreted as comments. 55333ee039SDag-Erling SmørgravArguments may optionally be enclosed in double quotes 56333ee039SDag-Erling Smørgrav.Pq \&" 57333ee039SDag-Erling Smørgravin order to represent arguments containing spaces. 58545d5ecaSDag-Erling Smørgrav.Pp 59545d5ecaSDag-Erling SmørgravThe possible 60545d5ecaSDag-Erling Smørgravkeywords and their meanings are as follows (note that 61545d5ecaSDag-Erling Smørgravkeywords are case-insensitive and arguments are case-sensitive): 62545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds 6321e764dfSDag-Erling Smørgrav.It Cm AcceptEnv 6421e764dfSDag-Erling SmørgravSpecifies what environment variables sent by the client will be copied into 6521e764dfSDag-Erling Smørgravthe session's 6621e764dfSDag-Erling Smørgrav.Xr environ 7 . 6721e764dfSDag-Erling SmørgravSee 6821e764dfSDag-Erling Smørgrav.Cm SendEnv 69190cef3dSDag-Erling Smørgravand 70190cef3dSDag-Erling Smørgrav.Cm SetEnv 7121e764dfSDag-Erling Smørgravin 7221e764dfSDag-Erling Smørgrav.Xr ssh_config 5 7321e764dfSDag-Erling Smørgravfor how to configure the client. 74acc1a9efSDag-Erling SmørgravThe 75557f75e5SDag-Erling Smørgrav.Ev TERM 76190cef3dSDag-Erling Smørgravenvironment variable is always accepted whenever the client 77557f75e5SDag-Erling Smørgravrequests a pseudo-terminal as it is required by the protocol. 7821e764dfSDag-Erling SmørgravVariables are specified by name, which may contain the wildcard characters 79333ee039SDag-Erling Smørgrav.Ql * 8021e764dfSDag-Erling Smørgravand 8121e764dfSDag-Erling Smørgrav.Ql \&? . 8221e764dfSDag-Erling SmørgravMultiple environment variables may be separated by whitespace or spread 8321e764dfSDag-Erling Smørgravacross multiple 8421e764dfSDag-Erling Smørgrav.Cm AcceptEnv 8521e764dfSDag-Erling Smørgravdirectives. 8621e764dfSDag-Erling SmørgravBe warned that some environment variables could be used to bypass restricted 8721e764dfSDag-Erling Smørgravuser environments. 8821e764dfSDag-Erling SmørgravFor this reason, care should be taken in the use of this directive. 8921e764dfSDag-Erling SmørgravThe default is not to accept any environment variables. 90aa49c926SDag-Erling Smørgrav.It Cm AddressFamily 91aa49c926SDag-Erling SmørgravSpecifies which address family should be used by 92333ee039SDag-Erling Smørgrav.Xr sshd 8 . 93aa49c926SDag-Erling SmørgravValid arguments are 94ca86bcf2SDag-Erling Smørgrav.Cm any 95ca86bcf2SDag-Erling Smørgrav(the default), 96ca86bcf2SDag-Erling Smørgrav.Cm inet 97333ee039SDag-Erling Smørgrav(use IPv4 only), or 98ca86bcf2SDag-Erling Smørgrav.Cm inet6 99aa49c926SDag-Erling Smørgrav(use IPv6 only). 100d4af9e69SDag-Erling Smørgrav.It Cm AllowAgentForwarding 101d4af9e69SDag-Erling SmørgravSpecifies whether 102d4af9e69SDag-Erling Smørgrav.Xr ssh-agent 1 103d4af9e69SDag-Erling Smørgravforwarding is permitted. 104d4af9e69SDag-Erling SmørgravThe default is 105ca86bcf2SDag-Erling Smørgrav.Cm yes . 106d4af9e69SDag-Erling SmørgravNote that disabling agent forwarding does not improve security 107d4af9e69SDag-Erling Smørgravunless users are also denied shell access, as they can always install 108d4af9e69SDag-Erling Smørgravtheir own forwarders. 109545d5ecaSDag-Erling Smørgrav.It Cm AllowGroups 110545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of group name patterns, separated 111545d5ecaSDag-Erling Smørgravby spaces. 112545d5ecaSDag-Erling SmørgravIf specified, login is allowed only for users whose primary 113545d5ecaSDag-Erling Smørgravgroup or supplementary group list matches one of the patterns. 114545d5ecaSDag-Erling SmørgravOnly group names are valid; a numerical group ID is not recognized. 115545d5ecaSDag-Erling SmørgravBy default, login is allowed for all groups. 11619261079SEd MasteThe allow/deny groups directives are processed in the following order: 117333ee039SDag-Erling Smørgrav.Cm DenyGroups , 118333ee039SDag-Erling Smørgrav.Cm AllowGroups . 119333ee039SDag-Erling Smørgrav.Pp 120e4a9863fSDag-Erling SmørgravSee PATTERNS in 121333ee039SDag-Erling Smørgrav.Xr ssh_config 5 122333ee039SDag-Erling Smørgravfor more information on patterns. 123a0ee8cc6SDag-Erling Smørgrav.It Cm AllowStreamLocalForwarding 124a0ee8cc6SDag-Erling SmørgravSpecifies whether StreamLocal (Unix-domain socket) forwarding is permitted. 125a0ee8cc6SDag-Erling SmørgravThe available options are 126ca86bcf2SDag-Erling Smørgrav.Cm yes 127ca86bcf2SDag-Erling Smørgrav(the default) 128a0ee8cc6SDag-Erling Smørgravor 129ca86bcf2SDag-Erling Smørgrav.Cm all 130a0ee8cc6SDag-Erling Smørgravto allow StreamLocal forwarding, 131ca86bcf2SDag-Erling Smørgrav.Cm no 132a0ee8cc6SDag-Erling Smørgravto prevent all StreamLocal forwarding, 133ca86bcf2SDag-Erling Smørgrav.Cm local 134a0ee8cc6SDag-Erling Smørgravto allow local (from the perspective of 135a0ee8cc6SDag-Erling Smørgrav.Xr ssh 1 ) 136a0ee8cc6SDag-Erling Smørgravforwarding only or 137ca86bcf2SDag-Erling Smørgrav.Cm remote 138a0ee8cc6SDag-Erling Smørgravto allow remote forwarding only. 139a0ee8cc6SDag-Erling SmørgravNote that disabling StreamLocal forwarding does not improve security unless 140a0ee8cc6SDag-Erling Smørgravusers are also denied shell access, as they can always install their 141a0ee8cc6SDag-Erling Smørgravown forwarders. 142ca86bcf2SDag-Erling Smørgrav.It Cm AllowTcpForwarding 143ca86bcf2SDag-Erling SmørgravSpecifies whether TCP forwarding is permitted. 144ca86bcf2SDag-Erling SmørgravThe available options are 145ca86bcf2SDag-Erling Smørgrav.Cm yes 146ca86bcf2SDag-Erling Smørgrav(the default) 147ca86bcf2SDag-Erling Smørgravor 148ca86bcf2SDag-Erling Smørgrav.Cm all 149ca86bcf2SDag-Erling Smørgravto allow TCP forwarding, 150ca86bcf2SDag-Erling Smørgrav.Cm no 151ca86bcf2SDag-Erling Smørgravto prevent all TCP forwarding, 152ca86bcf2SDag-Erling Smørgrav.Cm local 153ca86bcf2SDag-Erling Smørgravto allow local (from the perspective of 154ca86bcf2SDag-Erling Smørgrav.Xr ssh 1 ) 155ca86bcf2SDag-Erling Smørgravforwarding only or 156ca86bcf2SDag-Erling Smørgrav.Cm remote 157ca86bcf2SDag-Erling Smørgravto allow remote forwarding only. 158ca86bcf2SDag-Erling SmørgravNote that disabling TCP forwarding does not improve security unless 159ca86bcf2SDag-Erling Smørgravusers are also denied shell access, as they can always install their 160ca86bcf2SDag-Erling Smørgravown forwarders. 161545d5ecaSDag-Erling Smørgrav.It Cm AllowUsers 162545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of user name patterns, separated 163545d5ecaSDag-Erling Smørgravby spaces. 164e73e9afaSDag-Erling SmørgravIf specified, login is allowed only for user names that 165545d5ecaSDag-Erling Smørgravmatch one of the patterns. 166545d5ecaSDag-Erling SmørgravOnly user names are valid; a numerical user ID is not recognized. 167545d5ecaSDag-Erling SmørgravBy default, login is allowed for all users. 168545d5ecaSDag-Erling SmørgravIf the pattern takes the form USER@HOST then USER and HOST 169545d5ecaSDag-Erling Smørgravare separately checked, restricting logins to particular 170545d5ecaSDag-Erling Smørgravusers from particular hosts. 171076ad2f8SDag-Erling SmørgravHOST criteria may additionally contain addresses to match in CIDR 172076ad2f8SDag-Erling Smørgravaddress/masklen format. 17319261079SEd MasteThe allow/deny users directives are processed in the following order: 174333ee039SDag-Erling Smørgrav.Cm DenyUsers , 17519261079SEd Maste.Cm AllowUsers . 176333ee039SDag-Erling Smørgrav.Pp 177e4a9863fSDag-Erling SmørgravSee PATTERNS in 178333ee039SDag-Erling Smørgrav.Xr ssh_config 5 179333ee039SDag-Erling Smørgravfor more information on patterns. 1806888a9beSDag-Erling Smørgrav.It Cm AuthenticationMethods 1816888a9beSDag-Erling SmørgravSpecifies the authentication methods that must be successfully completed 1826888a9beSDag-Erling Smørgravfor a user to be granted access. 183190cef3dSDag-Erling SmørgravThis option must be followed by one or more lists of comma-separated 184076ad2f8SDag-Erling Smørgravauthentication method names, or by the single string 185ca86bcf2SDag-Erling Smørgrav.Cm any 186076ad2f8SDag-Erling Smørgravto indicate the default behaviour of accepting any single authentication 187076ad2f8SDag-Erling Smørgravmethod. 188ca86bcf2SDag-Erling SmørgravIf the default is overridden, then successful authentication requires 189076ad2f8SDag-Erling Smørgravcompletion of every method in at least one of these lists. 1906888a9beSDag-Erling Smørgrav.Pp 191ca86bcf2SDag-Erling SmørgravFor example, 192ca86bcf2SDag-Erling Smørgrav.Qq publickey,password publickey,keyboard-interactive 1936888a9beSDag-Erling Smørgravwould require the user to complete public key authentication, followed by 1946888a9beSDag-Erling Smørgraveither password or keyboard interactive authentication. 1956888a9beSDag-Erling SmørgravOnly methods that are next in one or more lists are offered at each stage, 196ca86bcf2SDag-Erling Smørgravso for this example it would not be possible to attempt password or 1976888a9beSDag-Erling Smørgravkeyboard-interactive authentication before public key. 1986888a9beSDag-Erling Smørgrav.Pp 199e4a9863fSDag-Erling SmørgravFor keyboard interactive authentication it is also possible to 200e4a9863fSDag-Erling Smørgravrestrict authentication to a specific device by appending a 201e4a9863fSDag-Erling Smørgravcolon followed by the device identifier 202190cef3dSDag-Erling Smørgrav.Cm bsdauth 203e4a9863fSDag-Erling Smørgravor 204190cef3dSDag-Erling Smørgrav.Cm pam . 205e4a9863fSDag-Erling Smørgravdepending on the server configuration. 206e4a9863fSDag-Erling SmørgravFor example, 207ca86bcf2SDag-Erling Smørgrav.Qq keyboard-interactive:bsdauth 208e4a9863fSDag-Erling Smørgravwould restrict keyboard interactive authentication to the 209ca86bcf2SDag-Erling Smørgrav.Cm bsdauth 210e4a9863fSDag-Erling Smørgravdevice. 211e4a9863fSDag-Erling Smørgrav.Pp 212ca86bcf2SDag-Erling SmørgravIf the publickey method is listed more than once, 213bc5531deSDag-Erling Smørgrav.Xr sshd 8 214bc5531deSDag-Erling Smørgravverifies that keys that have been used successfully are not reused for 215bc5531deSDag-Erling Smørgravsubsequent authentications. 216ca86bcf2SDag-Erling SmørgravFor example, 217ca86bcf2SDag-Erling Smørgrav.Qq publickey,publickey 218ca86bcf2SDag-Erling Smørgravrequires successful authentication using two different public keys. 219bc5531deSDag-Erling Smørgrav.Pp 2206888a9beSDag-Erling SmørgravNote that each authentication method listed should also be explicitly enabled 2216888a9beSDag-Erling Smørgravin the configuration. 2224f52dfbbSDag-Erling Smørgrav.Pp 2234f52dfbbSDag-Erling SmørgravThe available authentication methods are: 2244f52dfbbSDag-Erling Smørgrav.Qq gssapi-with-mic , 2254f52dfbbSDag-Erling Smørgrav.Qq hostbased , 2264f52dfbbSDag-Erling Smørgrav.Qq keyboard-interactive , 2274f52dfbbSDag-Erling Smørgrav.Qq none 2284f52dfbbSDag-Erling Smørgrav(used for access to password-less accounts when 229190cef3dSDag-Erling Smørgrav.Cm PermitEmptyPasswords 2304f52dfbbSDag-Erling Smørgravis enabled), 2314f52dfbbSDag-Erling Smørgrav.Qq password 2324f52dfbbSDag-Erling Smørgravand 2334f52dfbbSDag-Erling Smørgrav.Qq publickey . 2346888a9beSDag-Erling Smørgrav.It Cm AuthorizedKeysCommand 2356888a9beSDag-Erling SmørgravSpecifies a program to be used to look up the user's public keys. 236557f75e5SDag-Erling SmørgravThe program must be owned by root, not writable by group or others and 237557f75e5SDag-Erling Smørgravspecified by an absolute path. 238557f75e5SDag-Erling SmørgravArguments to 239557f75e5SDag-Erling Smørgrav.Cm AuthorizedKeysCommand 240ca86bcf2SDag-Erling Smørgravaccept the tokens described in the 241ca86bcf2SDag-Erling Smørgrav.Sx TOKENS 242ca86bcf2SDag-Erling Smørgravsection. 243ca86bcf2SDag-Erling SmørgravIf no arguments are specified then the username of the target user is used. 244557f75e5SDag-Erling Smørgrav.Pp 245557f75e5SDag-Erling SmørgravThe program should produce on standard output zero or 246ca86bcf2SDag-Erling Smørgravmore lines of authorized_keys output (see 247ca86bcf2SDag-Erling Smørgrav.Sx AUTHORIZED_KEYS 248ca86bcf2SDag-Erling Smørgravin 2496888a9beSDag-Erling Smørgrav.Xr sshd 8 ) . 250ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand 25119261079SEd Masteis tried after the usual 2526888a9beSDag-Erling Smørgrav.Cm AuthorizedKeysFile 25319261079SEd Mastefiles and will not be executed if a matching key is found there. 254ca86bcf2SDag-Erling SmørgravBy default, no 255ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand 256ca86bcf2SDag-Erling Smørgravis run. 2576888a9beSDag-Erling Smørgrav.It Cm AuthorizedKeysCommandUser 258ca86bcf2SDag-Erling SmørgravSpecifies the user under whose account the 259ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand 260ca86bcf2SDag-Erling Smørgravis run. 2616888a9beSDag-Erling SmørgravIt is recommended to use a dedicated user that has no other role on the host 2626888a9beSDag-Erling Smørgravthan running authorized keys commands. 263bc5531deSDag-Erling SmørgravIf 264bc5531deSDag-Erling Smørgrav.Cm AuthorizedKeysCommand 265bc5531deSDag-Erling Smørgravis specified but 266bc5531deSDag-Erling Smørgrav.Cm AuthorizedKeysCommandUser 267bc5531deSDag-Erling Smørgravis not, then 268bc5531deSDag-Erling Smørgrav.Xr sshd 8 269bc5531deSDag-Erling Smørgravwill refuse to start. 270545d5ecaSDag-Erling Smørgrav.It Cm AuthorizedKeysFile 271ca86bcf2SDag-Erling SmørgravSpecifies the file that contains the public keys used for user authentication. 27219261079SEd MasteThe format is described in the AUTHORIZED_KEYS FILE FORMAT section of 273e2f6069cSDag-Erling Smørgrav.Xr sshd 8 . 274ca86bcf2SDag-Erling SmørgravArguments to 275545d5ecaSDag-Erling Smørgrav.Cm AuthorizedKeysFile 276ca86bcf2SDag-Erling Smørgravaccept the tokens described in the 277ca86bcf2SDag-Erling Smørgrav.Sx TOKENS 278ca86bcf2SDag-Erling Smørgravsection. 279545d5ecaSDag-Erling SmørgravAfter expansion, 280545d5ecaSDag-Erling Smørgrav.Cm AuthorizedKeysFile 281545d5ecaSDag-Erling Smørgravis taken to be an absolute path or one relative to the user's home 282545d5ecaSDag-Erling Smørgravdirectory. 283e146993eSDag-Erling SmørgravMultiple files may be listed, separated by whitespace. 284acc1a9efSDag-Erling SmørgravAlternately this option may be set to 285ca86bcf2SDag-Erling Smørgrav.Cm none 286acc1a9efSDag-Erling Smørgravto skip checking for user keys in files. 287545d5ecaSDag-Erling SmørgravThe default is 288ca86bcf2SDag-Erling Smørgrav.Qq .ssh/authorized_keys .ssh/authorized_keys2 . 289557f75e5SDag-Erling Smørgrav.It Cm AuthorizedPrincipalsCommand 290557f75e5SDag-Erling SmørgravSpecifies a program to be used to generate the list of allowed 291557f75e5SDag-Erling Smørgravcertificate principals as per 292557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile . 293557f75e5SDag-Erling SmørgravThe program must be owned by root, not writable by group or others and 294557f75e5SDag-Erling Smørgravspecified by an absolute path. 295557f75e5SDag-Erling SmørgravArguments to 296557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand 297ca86bcf2SDag-Erling Smørgravaccept the tokens described in the 298ca86bcf2SDag-Erling Smørgrav.Sx TOKENS 299ca86bcf2SDag-Erling Smørgravsection. 300ca86bcf2SDag-Erling SmørgravIf no arguments are specified then the username of the target user is used. 301557f75e5SDag-Erling Smørgrav.Pp 302557f75e5SDag-Erling SmørgravThe program should produce on standard output zero or 303557f75e5SDag-Erling Smørgravmore lines of 304557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile 305557f75e5SDag-Erling Smørgravoutput. 306557f75e5SDag-Erling SmørgravIf either 307557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand 308557f75e5SDag-Erling Smørgravor 309557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile 310557f75e5SDag-Erling Smørgravis specified, then certificates offered by the client for authentication 311557f75e5SDag-Erling Smørgravmust contain a principal that is listed. 312ca86bcf2SDag-Erling SmørgravBy default, no 313ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand 314ca86bcf2SDag-Erling Smørgravis run. 315557f75e5SDag-Erling Smørgrav.It Cm AuthorizedPrincipalsCommandUser 316ca86bcf2SDag-Erling SmørgravSpecifies the user under whose account the 317ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand 318ca86bcf2SDag-Erling Smørgravis run. 319557f75e5SDag-Erling SmørgravIt is recommended to use a dedicated user that has no other role on the host 320557f75e5SDag-Erling Smørgravthan running authorized principals commands. 321557f75e5SDag-Erling SmørgravIf 322557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand 323557f75e5SDag-Erling Smørgravis specified but 324557f75e5SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommandUser 325557f75e5SDag-Erling Smørgravis not, then 326557f75e5SDag-Erling Smørgrav.Xr sshd 8 327557f75e5SDag-Erling Smørgravwill refuse to start. 328e2f6069cSDag-Erling Smørgrav.It Cm AuthorizedPrincipalsFile 329e2f6069cSDag-Erling SmørgravSpecifies a file that lists principal names that are accepted for 330e2f6069cSDag-Erling Smørgravcertificate authentication. 331e2f6069cSDag-Erling SmørgravWhen using certificates signed by a key listed in 332e2f6069cSDag-Erling Smørgrav.Cm TrustedUserCAKeys , 333e2f6069cSDag-Erling Smørgravthis file lists names, one of which must appear in the certificate for it 334e2f6069cSDag-Erling Smørgravto be accepted for authentication. 335ca86bcf2SDag-Erling SmørgravNames are listed one per line preceded by key options (as described in 336ca86bcf2SDag-Erling Smørgrav.Sx AUTHORIZED_KEYS FILE FORMAT 337ca86bcf2SDag-Erling Smørgravin 338e2f6069cSDag-Erling Smørgrav.Xr sshd 8 ) . 339e2f6069cSDag-Erling SmørgravEmpty lines and comments starting with 340e2f6069cSDag-Erling Smørgrav.Ql # 341e2f6069cSDag-Erling Smørgravare ignored. 342e2f6069cSDag-Erling Smørgrav.Pp 343ca86bcf2SDag-Erling SmørgravArguments to 344e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile 345ca86bcf2SDag-Erling Smørgravaccept the tokens described in the 346ca86bcf2SDag-Erling Smørgrav.Sx TOKENS 347ca86bcf2SDag-Erling Smørgravsection. 348e2f6069cSDag-Erling SmørgravAfter expansion, 349e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile 350ca86bcf2SDag-Erling Smørgravis taken to be an absolute path or one relative to the user's home directory. 351462c32cbSDag-Erling SmørgravThe default is 352ca86bcf2SDag-Erling Smørgrav.Cm none , 353462c32cbSDag-Erling Smørgravi.e. not to use a principals file \(en in this case, the username 354e2f6069cSDag-Erling Smørgravof the user must appear in a certificate's principals list for it to be 355e2f6069cSDag-Erling Smørgravaccepted. 356ca86bcf2SDag-Erling Smørgrav.Pp 357e2f6069cSDag-Erling SmørgravNote that 358e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile 359e2f6069cSDag-Erling Smørgravis only used when authentication proceeds using a CA listed in 360e2f6069cSDag-Erling Smørgrav.Cm TrustedUserCAKeys 361e2f6069cSDag-Erling Smørgravand is not consulted for certification authorities trusted via 362e2f6069cSDag-Erling Smørgrav.Pa ~/.ssh/authorized_keys , 363e2f6069cSDag-Erling Smørgravthough the 364e2f6069cSDag-Erling Smørgrav.Cm principals= 365e2f6069cSDag-Erling Smørgravkey option offers a similar facility (see 366e2f6069cSDag-Erling Smørgrav.Xr sshd 8 367e2f6069cSDag-Erling Smørgravfor details). 368545d5ecaSDag-Erling Smørgrav.It Cm Banner 369545d5ecaSDag-Erling SmørgravThe contents of the specified file are sent to the remote user before 370545d5ecaSDag-Erling Smørgravauthentication is allowed. 371d4af9e69SDag-Erling SmørgravIf the argument is 372ca86bcf2SDag-Erling Smørgrav.Cm none 373d4af9e69SDag-Erling Smørgravthen no banner is displayed. 374545d5ecaSDag-Erling SmørgravBy default, no banner is displayed. 3752f513db7SEd Maste.It Cm CASignatureAlgorithms 3762f513db7SEd MasteSpecifies which algorithms are allowed for signing of certificates 3772f513db7SEd Masteby certificate authorities (CAs). 3782f513db7SEd MasteThe default is: 3792f513db7SEd Maste.Bd -literal -offset indent 38019261079SEd Mastessh-ed25519,ecdsa-sha2-nistp256, 38119261079SEd Masteecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 38219261079SEd Mastesk-ssh-ed25519@openssh.com, 38319261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com, 38419261079SEd Mastersa-sha2-512,rsa-sha2-256 3852f513db7SEd Maste.Ed 3862f513db7SEd Maste.Pp 38719261079SEd MasteIf the specified list begins with a 38819261079SEd Maste.Sq + 38919261079SEd Mastecharacter, then the specified algorithms will be appended to the default set 39019261079SEd Masteinstead of replacing them. 39119261079SEd MasteIf the specified list begins with a 39219261079SEd Maste.Sq - 39319261079SEd Mastecharacter, then the specified algorithms (including wildcards) will be removed 39419261079SEd Mastefrom the default set instead of replacing them. 39519261079SEd Maste.Pp 3962f513db7SEd MasteCertificates signed using other algorithms will not be accepted for 3972f513db7SEd Mastepublic key or host-based authentication. 398*f374ba41SEd Maste.It Cm ChannelTimeout 399*f374ba41SEd MasteSpecifies whether and how quickly 400*f374ba41SEd Maste.Xr sshd 8 401*f374ba41SEd Masteshould close inactive channels. 402*f374ba41SEd MasteTimeouts are specified as one or more 403*f374ba41SEd Maste.Dq type=interval 404*f374ba41SEd Mastepairs separated by whitespace, where the 405*f374ba41SEd Maste.Dq type 406*f374ba41SEd Mastemust be a channel type name (as described in the table below), optionally 407*f374ba41SEd Mastecontaining wildcard characters. 408*f374ba41SEd Maste.Pp 409*f374ba41SEd MasteThe timeout value 410*f374ba41SEd Maste.Dq interval 411*f374ba41SEd Masteis specified in seconds or may use any of the units documented in the 412*f374ba41SEd Maste.Sx TIME FORMATS 413*f374ba41SEd Mastesection. 414*f374ba41SEd MasteFor example, 415*f374ba41SEd Maste.Dq session:*=5m 416*f374ba41SEd Mastewould cause all sessions to terminate after five minutes of inactivity. 417*f374ba41SEd MasteSpecifying a zero value disables the inactivity timeout. 418*f374ba41SEd Maste.Pp 419*f374ba41SEd MasteThe available channel types include: 420*f374ba41SEd Maste.Bl -tag -width Ds 421*f374ba41SEd Maste.It Cm agent-connection 422*f374ba41SEd MasteOpen connections to 423*f374ba41SEd Maste.Xr ssh-agent 1 . 424*f374ba41SEd Maste.It Cm direct-tcpip , Cm direct-streamlocal@openssh.com 425*f374ba41SEd MasteOpen TCP or Unix socket (respectively) connections that have 426*f374ba41SEd Mastebeen established from a 427*f374ba41SEd Maste.Xr ssh 1 428*f374ba41SEd Mastelocal forwarding, i.e.\& 429*f374ba41SEd Maste.Cm LocalForward 430*f374ba41SEd Masteor 431*f374ba41SEd Maste.Cm DynamicForward . 432*f374ba41SEd Maste.It Cm forwarded-tcpip , Cm forwarded-streamlocal@openssh.com 433*f374ba41SEd MasteOpen TCP or Unix socket (respectively) connections that have been 434*f374ba41SEd Masteestablished to a 435*f374ba41SEd Maste.Xr sshd 8 436*f374ba41SEd Mastelistening on behalf of a 437*f374ba41SEd Maste.Xr ssh 1 438*f374ba41SEd Masteremote forwarding, i.e.\& 439*f374ba41SEd Maste.Cm RemoteForward . 440*f374ba41SEd Maste.It Cm session:command 441*f374ba41SEd MasteCommand execution sessions. 442*f374ba41SEd Maste.It Cm session:shell 443*f374ba41SEd MasteInteractive shell sessions. 444*f374ba41SEd Maste.It Cm session:subsystem:... 445*f374ba41SEd MasteSubsystem sessions, e.g. for 446*f374ba41SEd Maste.Xr sftp 1 , 447*f374ba41SEd Mastewhich could be identified as 448*f374ba41SEd Maste.Cm session:subsystem:sftp . 449*f374ba41SEd Maste.It Cm x11-connection 450*f374ba41SEd MasteOpen X11 forwarding sessions. 451*f374ba41SEd Maste.El 452*f374ba41SEd Maste.Pp 453*f374ba41SEd MasteNote that in all the above cases, terminating an inactive session does not 454*f374ba41SEd Masteguarantee to remove all resources associated with the session, e.g. shell 455*f374ba41SEd Masteprocesses or X11 clients relating to the session may continue to execute. 456*f374ba41SEd Maste.Pp 457*f374ba41SEd MasteMoreover, terminating an inactive channel or session does not necessarily 458*f374ba41SEd Masteclose the SSH connection, nor does it prevent a client from 459*f374ba41SEd Masterequesting another channel of the same type. 460*f374ba41SEd MasteIn particular, expiring an inactive forwarding session does not prevent 461*f374ba41SEd Masteanother identical forwarding from being subsequently created. 462*f374ba41SEd MasteSee also 463*f374ba41SEd Maste.Cm UnusedConnectionTimeout , 464*f374ba41SEd Mastewhich may be used in conjunction with this option. 465*f374ba41SEd Maste.Pp 466*f374ba41SEd MasteThe default is not to expire channels of any type for inactivity. 467d4af9e69SDag-Erling Smørgrav.It Cm ChrootDirectory 468b15c8340SDag-Erling SmørgravSpecifies the pathname of a directory to 469d4af9e69SDag-Erling Smørgrav.Xr chroot 2 470d4af9e69SDag-Erling Smørgravto after authentication. 471bc5531deSDag-Erling SmørgravAt session startup 472bc5531deSDag-Erling Smørgrav.Xr sshd 8 473bc5531deSDag-Erling Smørgravchecks that all components of the pathname are root-owned directories 474bc5531deSDag-Erling Smørgravwhich are not writable by any other user or group. 4757aee6ffeSDag-Erling SmørgravAfter the chroot, 4767aee6ffeSDag-Erling Smørgrav.Xr sshd 8 4777aee6ffeSDag-Erling Smørgravchanges the working directory to the user's home directory. 478ca86bcf2SDag-Erling SmørgravArguments to 479ca86bcf2SDag-Erling Smørgrav.Cm ChrootDirectory 480ca86bcf2SDag-Erling Smørgravaccept the tokens described in the 481ca86bcf2SDag-Erling Smørgrav.Sx TOKENS 482ca86bcf2SDag-Erling Smørgravsection. 483d4af9e69SDag-Erling Smørgrav.Pp 484d4af9e69SDag-Erling SmørgravThe 485d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory 486d4af9e69SDag-Erling Smørgravmust contain the necessary files and directories to support the 4877aee6ffeSDag-Erling Smørgravuser's session. 488d4af9e69SDag-Erling SmørgravFor an interactive session this requires at least a shell, typically 489d4af9e69SDag-Erling Smørgrav.Xr sh 1 , 490d4af9e69SDag-Erling Smørgravand basic 491d4af9e69SDag-Erling Smørgrav.Pa /dev 492d4af9e69SDag-Erling Smørgravnodes such as 493d4af9e69SDag-Erling Smørgrav.Xr null 4 , 494d4af9e69SDag-Erling Smørgrav.Xr zero 4 , 495d4af9e69SDag-Erling Smørgrav.Xr stdin 4 , 496d4af9e69SDag-Erling Smørgrav.Xr stdout 4 , 497d4af9e69SDag-Erling Smørgrav.Xr stderr 4 , 498d4af9e69SDag-Erling Smørgravand 499d4af9e69SDag-Erling Smørgrav.Xr tty 4 500d4af9e69SDag-Erling Smørgravdevices. 501ca86bcf2SDag-Erling SmørgravFor file transfer sessions using SFTP 502ca86bcf2SDag-Erling Smørgravno additional configuration of the environment is necessary if the in-process 503ca86bcf2SDag-Erling Smørgravsftp-server is used, 504a0ee8cc6SDag-Erling Smørgravthough sessions which use logging may require 5057aee6ffeSDag-Erling Smørgrav.Pa /dev/log 506a0ee8cc6SDag-Erling Smørgravinside the chroot directory on some operating systems (see 5077aee6ffeSDag-Erling Smørgrav.Xr sftp-server 8 508d4af9e69SDag-Erling Smørgravfor details). 509d4af9e69SDag-Erling Smørgrav.Pp 510bc5531deSDag-Erling SmørgravFor safety, it is very important that the directory hierarchy be 511bc5531deSDag-Erling Smørgravprevented from modification by other processes on the system (especially 512bc5531deSDag-Erling Smørgravthose outside the jail). 513bc5531deSDag-Erling SmørgravMisconfiguration can lead to unsafe environments which 514bc5531deSDag-Erling Smørgrav.Xr sshd 8 515bc5531deSDag-Erling Smørgravcannot detect. 516bc5531deSDag-Erling Smørgrav.Pp 517acc1a9efSDag-Erling SmørgravThe default is 518ca86bcf2SDag-Erling Smørgrav.Cm none , 519acc1a9efSDag-Erling Smørgravindicating not to 520d4af9e69SDag-Erling Smørgrav.Xr chroot 2 . 521545d5ecaSDag-Erling Smørgrav.It Cm Ciphers 522acc1a9efSDag-Erling SmørgravSpecifies the ciphers allowed. 523545d5ecaSDag-Erling SmørgravMultiple ciphers must be comma-separated. 52419261079SEd MasteIf the specified list begins with a 525eccfee6eSDag-Erling Smørgrav.Sq + 526eccfee6eSDag-Erling Smørgravcharacter, then the specified ciphers will be appended to the default set 527eccfee6eSDag-Erling Smørgravinstead of replacing them. 52819261079SEd MasteIf the specified list begins with a 529d93a896eSDag-Erling Smørgrav.Sq - 530d93a896eSDag-Erling Smørgravcharacter, then the specified ciphers (including wildcards) will be removed 531d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them. 53219261079SEd MasteIf the specified list begins with a 53319261079SEd Maste.Sq ^ 53419261079SEd Mastecharacter, then the specified ciphers will be placed at the head of the 53519261079SEd Mastedefault set. 536eccfee6eSDag-Erling Smørgrav.Pp 537f7167e0eSDag-Erling SmørgravThe supported ciphers are: 538f7167e0eSDag-Erling Smørgrav.Pp 539a0ee8cc6SDag-Erling Smørgrav.Bl -item -compact -offset indent 540a0ee8cc6SDag-Erling Smørgrav.It 541a0ee8cc6SDag-Erling Smørgrav3des-cbc 542a0ee8cc6SDag-Erling Smørgrav.It 543a0ee8cc6SDag-Erling Smørgravaes128-cbc 544a0ee8cc6SDag-Erling Smørgrav.It 545a0ee8cc6SDag-Erling Smørgravaes192-cbc 546a0ee8cc6SDag-Erling Smørgrav.It 547a0ee8cc6SDag-Erling Smørgravaes256-cbc 548a0ee8cc6SDag-Erling Smørgrav.It 549a0ee8cc6SDag-Erling Smørgravaes128-ctr 550a0ee8cc6SDag-Erling Smørgrav.It 551a0ee8cc6SDag-Erling Smørgravaes192-ctr 552a0ee8cc6SDag-Erling Smørgrav.It 553a0ee8cc6SDag-Erling Smørgravaes256-ctr 554a0ee8cc6SDag-Erling Smørgrav.It 555a0ee8cc6SDag-Erling Smørgravaes128-gcm@openssh.com 556a0ee8cc6SDag-Erling Smørgrav.It 557a0ee8cc6SDag-Erling Smørgravaes256-gcm@openssh.com 558a0ee8cc6SDag-Erling Smørgrav.It 559a0ee8cc6SDag-Erling Smørgravchacha20-poly1305@openssh.com 560a0ee8cc6SDag-Erling Smørgrav.El 561f7167e0eSDag-Erling Smørgrav.Pp 562333ee039SDag-Erling SmørgravThe default is: 563a0ee8cc6SDag-Erling Smørgrav.Bd -literal -offset indent 564fc1ba28aSDag-Erling Smørgravchacha20-poly1305@openssh.com, 565a0ee8cc6SDag-Erling Smørgravaes128-ctr,aes192-ctr,aes256-ctr, 566952d18a2SEd Masteaes128-gcm@openssh.com,aes256-gcm@openssh.com 567545d5ecaSDag-Erling Smørgrav.Ed 568f7167e0eSDag-Erling Smørgrav.Pp 569ca86bcf2SDag-Erling SmørgravThe list of available ciphers may also be obtained using 570ca86bcf2SDag-Erling Smørgrav.Qq ssh -Q cipher . 571545d5ecaSDag-Erling Smørgrav.It Cm ClientAliveCountMax 572ca86bcf2SDag-Erling SmørgravSets the number of client alive messages which may be sent without 573333ee039SDag-Erling Smørgrav.Xr sshd 8 574cf2b5f3bSDag-Erling Smørgravreceiving any messages back from the client. 575cf2b5f3bSDag-Erling SmørgravIf this threshold is reached while client alive messages are being sent, 576333ee039SDag-Erling Smørgravsshd will disconnect the client, terminating the session. 577cf2b5f3bSDag-Erling SmørgravIt is important to note that the use of client alive messages is very 578cf2b5f3bSDag-Erling Smørgravdifferent from 579ca86bcf2SDag-Erling Smørgrav.Cm TCPKeepAlive . 580cf2b5f3bSDag-Erling SmørgravThe client alive messages are sent through the encrypted channel 581cf2b5f3bSDag-Erling Smørgravand therefore will not be spoofable. 582cf2b5f3bSDag-Erling SmørgravThe TCP keepalive option enabled by 5831ec0d754SDag-Erling Smørgrav.Cm TCPKeepAlive 584cf2b5f3bSDag-Erling Smørgravis spoofable. 585cf2b5f3bSDag-Erling SmørgravThe client alive mechanism is valuable when the client or 58619261079SEd Masteserver depend on knowing when a connection has become unresponsive. 587545d5ecaSDag-Erling Smørgrav.Pp 588cf2b5f3bSDag-Erling SmørgravThe default value is 3. 589cf2b5f3bSDag-Erling SmørgravIf 590545d5ecaSDag-Erling Smørgrav.Cm ClientAliveInterval 591ca86bcf2SDag-Erling Smørgravis set to 15, and 592545d5ecaSDag-Erling Smørgrav.Cm ClientAliveCountMax 593333ee039SDag-Erling Smørgravis left at the default, unresponsive SSH clients 594545d5ecaSDag-Erling Smørgravwill be disconnected after approximately 45 seconds. 59519261079SEd MasteSetting a zero 59619261079SEd Maste.Cm ClientAliveCountMax 59719261079SEd Mastedisables connection termination. 598d4ecd108SDag-Erling Smørgrav.It Cm ClientAliveInterval 599d4ecd108SDag-Erling SmørgravSets a timeout interval in seconds after which if no data has been received 600d4ecd108SDag-Erling Smørgravfrom the client, 601333ee039SDag-Erling Smørgrav.Xr sshd 8 602d4ecd108SDag-Erling Smørgravwill send a message through the encrypted 603d4ecd108SDag-Erling Smørgravchannel to request a response from the client. 604d4ecd108SDag-Erling SmørgravThe default 605d4ecd108SDag-Erling Smørgravis 0, indicating that these messages will not be sent to the client. 606545d5ecaSDag-Erling Smørgrav.It Cm Compression 607ca86bcf2SDag-Erling SmørgravSpecifies whether compression is enabled after 608d4ecd108SDag-Erling Smørgravthe user has authenticated successfully. 609545d5ecaSDag-Erling SmørgravThe argument must be 610ca86bcf2SDag-Erling Smørgrav.Cm yes , 611ca86bcf2SDag-Erling Smørgrav.Cm delayed 612ca86bcf2SDag-Erling Smørgrav(a legacy synonym for 613ca86bcf2SDag-Erling Smørgrav.Cm yes ) 614545d5ecaSDag-Erling Smørgravor 615ca86bcf2SDag-Erling Smørgrav.Cm no . 616545d5ecaSDag-Erling SmørgravThe default is 617ca86bcf2SDag-Erling Smørgrav.Cm yes . 618545d5ecaSDag-Erling Smørgrav.It Cm DenyGroups 619545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of group name patterns, separated 620545d5ecaSDag-Erling Smørgravby spaces. 621545d5ecaSDag-Erling SmørgravLogin is disallowed for users whose primary group or supplementary 622545d5ecaSDag-Erling Smørgravgroup list matches one of the patterns. 623545d5ecaSDag-Erling SmørgravOnly group names are valid; a numerical group ID is not recognized. 624545d5ecaSDag-Erling SmørgravBy default, login is allowed for all groups. 62519261079SEd MasteThe allow/deny groups directives are processed in the following order: 626333ee039SDag-Erling Smørgrav.Cm DenyGroups , 627333ee039SDag-Erling Smørgrav.Cm AllowGroups . 628333ee039SDag-Erling Smørgrav.Pp 629e4a9863fSDag-Erling SmørgravSee PATTERNS in 630333ee039SDag-Erling Smørgrav.Xr ssh_config 5 631333ee039SDag-Erling Smørgravfor more information on patterns. 632545d5ecaSDag-Erling Smørgrav.It Cm DenyUsers 633545d5ecaSDag-Erling SmørgravThis keyword can be followed by a list of user name patterns, separated 634545d5ecaSDag-Erling Smørgravby spaces. 635545d5ecaSDag-Erling SmørgravLogin is disallowed for user names that match one of the patterns. 636545d5ecaSDag-Erling SmørgravOnly user names are valid; a numerical user ID is not recognized. 637545d5ecaSDag-Erling SmørgravBy default, login is allowed for all users. 638545d5ecaSDag-Erling SmørgravIf the pattern takes the form USER@HOST then USER and HOST 639545d5ecaSDag-Erling Smørgravare separately checked, restricting logins to particular 640545d5ecaSDag-Erling Smørgravusers from particular hosts. 641076ad2f8SDag-Erling SmørgravHOST criteria may additionally contain addresses to match in CIDR 642076ad2f8SDag-Erling Smørgravaddress/masklen format. 64319261079SEd MasteThe allow/deny users directives are processed in the following order: 644333ee039SDag-Erling Smørgrav.Cm DenyUsers , 64519261079SEd Maste.Cm AllowUsers . 646333ee039SDag-Erling Smørgrav.Pp 647e4a9863fSDag-Erling SmørgravSee PATTERNS in 648333ee039SDag-Erling Smørgrav.Xr ssh_config 5 649333ee039SDag-Erling Smørgravfor more information on patterns. 650ca86bcf2SDag-Erling Smørgrav.It Cm DisableForwarding 651ca86bcf2SDag-Erling SmørgravDisables all forwarding features, including X11, 652ca86bcf2SDag-Erling Smørgrav.Xr ssh-agent 1 , 653ca86bcf2SDag-Erling SmørgravTCP and StreamLocal. 654ca86bcf2SDag-Erling SmørgravThis option overrides all other forwarding-related options and may 655ca86bcf2SDag-Erling Smørgravsimplify restricted configurations. 6564f52dfbbSDag-Erling Smørgrav.It Cm ExposeAuthInfo 6574f52dfbbSDag-Erling SmørgravWrites a temporary file containing a list of authentication methods and 6584f52dfbbSDag-Erling Smørgravpublic credentials (e.g. keys) used to authenticate the user. 6594f52dfbbSDag-Erling SmørgravThe location of the file is exposed to the user session through the 6604f52dfbbSDag-Erling Smørgrav.Ev SSH_USER_AUTH 6614f52dfbbSDag-Erling Smørgravenvironment variable. 6624f52dfbbSDag-Erling SmørgravThe default is 6634f52dfbbSDag-Erling Smørgrav.Cm no . 664bc5531deSDag-Erling Smørgrav.It Cm FingerprintHash 665bc5531deSDag-Erling SmørgravSpecifies the hash algorithm used when logging key fingerprints. 666bc5531deSDag-Erling SmørgravValid options are: 667ca86bcf2SDag-Erling Smørgrav.Cm md5 668bc5531deSDag-Erling Smørgravand 669ca86bcf2SDag-Erling Smørgrav.Cm sha256 . 670bc5531deSDag-Erling SmørgravThe default is 671ca86bcf2SDag-Erling Smørgrav.Cm sha256 . 672333ee039SDag-Erling Smørgrav.It Cm ForceCommand 673333ee039SDag-Erling SmørgravForces the execution of the command specified by 674333ee039SDag-Erling Smørgrav.Cm ForceCommand , 675d4af9e69SDag-Erling Smørgravignoring any command supplied by the client and 676d4af9e69SDag-Erling Smørgrav.Pa ~/.ssh/rc 677d4af9e69SDag-Erling Smørgravif present. 678333ee039SDag-Erling SmørgravThe command is invoked by using the user's login shell with the -c option. 679333ee039SDag-Erling SmørgravThis applies to shell, command, or subsystem execution. 680333ee039SDag-Erling SmørgravIt is most useful inside a 681333ee039SDag-Erling Smørgrav.Cm Match 682333ee039SDag-Erling Smørgravblock. 683333ee039SDag-Erling SmørgravThe command originally supplied by the client is available in the 684333ee039SDag-Erling Smørgrav.Ev SSH_ORIGINAL_COMMAND 685333ee039SDag-Erling Smørgravenvironment variable. 686d4af9e69SDag-Erling SmørgravSpecifying a command of 687ca86bcf2SDag-Erling Smørgrav.Cm internal-sftp 688ca86bcf2SDag-Erling Smørgravwill force the use of an in-process SFTP server that requires no support 689d4af9e69SDag-Erling Smørgravfiles when used with 690d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory . 691acc1a9efSDag-Erling SmørgravThe default is 692ca86bcf2SDag-Erling Smørgrav.Cm none . 693545d5ecaSDag-Erling Smørgrav.It Cm GatewayPorts 694545d5ecaSDag-Erling SmørgravSpecifies whether remote hosts are allowed to connect to ports 695545d5ecaSDag-Erling Smørgravforwarded for the client. 696545d5ecaSDag-Erling SmørgravBy default, 697333ee039SDag-Erling Smørgrav.Xr sshd 8 698e73e9afaSDag-Erling Smørgravbinds remote port forwardings to the loopback address. 699e73e9afaSDag-Erling SmørgravThis prevents other remote hosts from connecting to forwarded ports. 700545d5ecaSDag-Erling Smørgrav.Cm GatewayPorts 701333ee039SDag-Erling Smørgravcan be used to specify that sshd 702aa49c926SDag-Erling Smørgravshould allow remote port forwardings to bind to non-loopback addresses, thus 703aa49c926SDag-Erling Smørgravallowing other hosts to connect. 704aa49c926SDag-Erling SmørgravThe argument may be 705ca86bcf2SDag-Erling Smørgrav.Cm no 706aa49c926SDag-Erling Smørgravto force remote port forwardings to be available to the local host only, 707ca86bcf2SDag-Erling Smørgrav.Cm yes 708aa49c926SDag-Erling Smørgravto force remote port forwardings to bind to the wildcard address, or 709ca86bcf2SDag-Erling Smørgrav.Cm clientspecified 710aa49c926SDag-Erling Smørgravto allow the client to select the address to which the forwarding is bound. 711545d5ecaSDag-Erling SmørgravThe default is 712ca86bcf2SDag-Erling Smørgrav.Cm no . 713cf2b5f3bSDag-Erling Smørgrav.It Cm GSSAPIAuthentication 714cf2b5f3bSDag-Erling SmørgravSpecifies whether user authentication based on GSSAPI is allowed. 715cf2b5f3bSDag-Erling SmørgravThe default is 716ca86bcf2SDag-Erling Smørgrav.Cm no . 717cf2b5f3bSDag-Erling Smørgrav.It Cm GSSAPICleanupCredentials 718cf2b5f3bSDag-Erling SmørgravSpecifies whether to automatically destroy the user's credentials cache 719cf2b5f3bSDag-Erling Smørgravon logout. 720cf2b5f3bSDag-Erling SmørgravThe default is 721ca86bcf2SDag-Erling Smørgrav.Cm yes . 722557f75e5SDag-Erling Smørgrav.It Cm GSSAPIStrictAcceptorCheck 723557f75e5SDag-Erling SmørgravDetermines whether to be strict about the identity of the GSSAPI acceptor 724557f75e5SDag-Erling Smørgrava client authenticates against. 725557f75e5SDag-Erling SmørgravIf set to 726ca86bcf2SDag-Erling Smørgrav.Cm yes 727ca86bcf2SDag-Erling Smørgravthen the client must authenticate against the host 728557f75e5SDag-Erling Smørgravservice on the current hostname. 729557f75e5SDag-Erling SmørgravIf set to 730ca86bcf2SDag-Erling Smørgrav.Cm no 731557f75e5SDag-Erling Smørgravthen the client may authenticate against any service key stored in the 732557f75e5SDag-Erling Smørgravmachine's default store. 733557f75e5SDag-Erling SmørgravThis facility is provided to assist with operation on multi homed machines. 734557f75e5SDag-Erling SmørgravThe default is 735ca86bcf2SDag-Erling Smørgrav.Cm yes . 73619261079SEd Maste.It Cm HostbasedAcceptedAlgorithms 73719261079SEd MasteSpecifies the signature algorithms that will be accepted for hostbased 73819261079SEd Masteauthentication as a list of comma-separated patterns. 73919261079SEd MasteAlternately if the specified list begins with a 740eccfee6eSDag-Erling Smørgrav.Sq + 74119261079SEd Mastecharacter, then the specified signature algorithms will be appended to 74219261079SEd Mastethe default set instead of replacing them. 74319261079SEd MasteIf the specified list begins with a 744d93a896eSDag-Erling Smørgrav.Sq - 74519261079SEd Mastecharacter, then the specified signature algorithms (including wildcards) 74619261079SEd Mastewill be removed from the default set instead of replacing them. 74719261079SEd MasteIf the specified list begins with a 74819261079SEd Maste.Sq ^ 74919261079SEd Mastecharacter, then the specified signature algorithms will be placed at 75019261079SEd Mastethe head of the default set. 751eccfee6eSDag-Erling SmørgravThe default for this option is: 752eccfee6eSDag-Erling Smørgrav.Bd -literal -offset 3n 75319261079SEd Mastessh-ed25519-cert-v01@openssh.com, 754eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp256-cert-v01@openssh.com, 755eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp384-cert-v01@openssh.com, 756eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp521-cert-v01@openssh.com, 75719261079SEd Mastesk-ssh-ed25519-cert-v01@openssh.com, 75819261079SEd Mastesk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 75919261079SEd Mastersa-sha2-512-cert-v01@openssh.com, 76019261079SEd Mastersa-sha2-256-cert-v01@openssh.com, 76119261079SEd Mastessh-ed25519, 7629ded3306SDag-Erling Smørgravecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 76319261079SEd Mastesk-ssh-ed25519@openssh.com, 76419261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com, 765cea0d368SEd Mastersa-sha2-512,rsa-sha2-256 766eccfee6eSDag-Erling Smørgrav.Ed 767eccfee6eSDag-Erling Smørgrav.Pp 76819261079SEd MasteThe list of available signature algorithms may also be obtained using 76919261079SEd Maste.Qq ssh -Q HostbasedAcceptedAlgorithms . 77019261079SEd MasteThis was formerly named HostbasedAcceptedKeyTypes. 771545d5ecaSDag-Erling Smørgrav.It Cm HostbasedAuthentication 772545d5ecaSDag-Erling SmørgravSpecifies whether rhosts or /etc/hosts.equiv authentication together 773545d5ecaSDag-Erling Smørgravwith successful public key client host authentication is allowed 774333ee039SDag-Erling Smørgrav(host-based authentication). 775545d5ecaSDag-Erling SmørgravThe default is 776ca86bcf2SDag-Erling Smørgrav.Cm no . 777333ee039SDag-Erling Smørgrav.It Cm HostbasedUsesNameFromPacketOnly 778333ee039SDag-Erling SmørgravSpecifies whether or not the server will attempt to perform a reverse 779333ee039SDag-Erling Smørgravname lookup when matching the name in the 780333ee039SDag-Erling Smørgrav.Pa ~/.shosts , 781333ee039SDag-Erling Smørgrav.Pa ~/.rhosts , 782333ee039SDag-Erling Smørgravand 783333ee039SDag-Erling Smørgrav.Pa /etc/hosts.equiv 784333ee039SDag-Erling Smørgravfiles during 785333ee039SDag-Erling Smørgrav.Cm HostbasedAuthentication . 786333ee039SDag-Erling SmørgravA setting of 787ca86bcf2SDag-Erling Smørgrav.Cm yes 788333ee039SDag-Erling Smørgravmeans that 789333ee039SDag-Erling Smørgrav.Xr sshd 8 790333ee039SDag-Erling Smørgravuses the name supplied by the client rather than 791333ee039SDag-Erling Smørgravattempting to resolve the name from the TCP connection itself. 792333ee039SDag-Erling SmørgravThe default is 793ca86bcf2SDag-Erling Smørgrav.Cm no . 794b15c8340SDag-Erling Smørgrav.It Cm HostCertificate 795b15c8340SDag-Erling SmørgravSpecifies a file containing a public host certificate. 796b15c8340SDag-Erling SmørgravThe certificate's public key must match a private host key already specified 797b15c8340SDag-Erling Smørgravby 798b15c8340SDag-Erling Smørgrav.Cm HostKey . 799b15c8340SDag-Erling SmørgravThe default behaviour of 800b15c8340SDag-Erling Smørgrav.Xr sshd 8 801b15c8340SDag-Erling Smørgravis not to load any certificates. 802545d5ecaSDag-Erling Smørgrav.It Cm HostKey 803545d5ecaSDag-Erling SmørgravSpecifies a file containing a private host key 804545d5ecaSDag-Erling Smørgravused by SSH. 805ca86bcf2SDag-Erling SmørgravThe defaults are 806f7167e0eSDag-Erling Smørgrav.Pa /etc/ssh/ssh_host_ecdsa_key , 807f7167e0eSDag-Erling Smørgrav.Pa /etc/ssh/ssh_host_ed25519_key 808d4af9e69SDag-Erling Smørgravand 809ca86bcf2SDag-Erling Smørgrav.Pa /etc/ssh/ssh_host_rsa_key . 810eccfee6eSDag-Erling Smørgrav.Pp 811545d5ecaSDag-Erling SmørgravNote that 812333ee039SDag-Erling Smørgrav.Xr sshd 8 813eccfee6eSDag-Erling Smørgravwill refuse to use a file if it is group/world-accessible 814eccfee6eSDag-Erling Smørgravand that the 815eccfee6eSDag-Erling Smørgrav.Cm HostKeyAlgorithms 816eccfee6eSDag-Erling Smørgravoption restricts which of the keys are actually used by 817eccfee6eSDag-Erling Smørgrav.Xr sshd 8 . 818eccfee6eSDag-Erling Smørgrav.Pp 819545d5ecaSDag-Erling SmørgravIt is possible to have multiple host key files. 820e4a9863fSDag-Erling SmørgravIt is also possible to specify public host key files instead. 821e4a9863fSDag-Erling SmørgravIn this case operations on the private key will be delegated 822e4a9863fSDag-Erling Smørgravto an 823e4a9863fSDag-Erling Smørgrav.Xr ssh-agent 1 . 824e4a9863fSDag-Erling Smørgrav.It Cm HostKeyAgent 825e4a9863fSDag-Erling SmørgravIdentifies the UNIX-domain socket used to communicate 826e4a9863fSDag-Erling Smørgravwith an agent that has access to the private host keys. 827076ad2f8SDag-Erling SmørgravIf the string 828ca86bcf2SDag-Erling Smørgrav.Qq SSH_AUTH_SOCK 829e4a9863fSDag-Erling Smørgravis specified, the location of the socket will be read from the 830e4a9863fSDag-Erling Smørgrav.Ev SSH_AUTH_SOCK 831e4a9863fSDag-Erling Smørgravenvironment variable. 832eccfee6eSDag-Erling Smørgrav.It Cm HostKeyAlgorithms 83319261079SEd MasteSpecifies the host key signature algorithms 834eccfee6eSDag-Erling Smørgravthat the server offers. 835eccfee6eSDag-Erling SmørgravThe default for this option is: 836eccfee6eSDag-Erling Smørgrav.Bd -literal -offset 3n 83719261079SEd Mastessh-ed25519-cert-v01@openssh.com, 838eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp256-cert-v01@openssh.com, 839eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp384-cert-v01@openssh.com, 840eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp521-cert-v01@openssh.com, 84119261079SEd Mastesk-ssh-ed25519-cert-v01@openssh.com, 84219261079SEd Mastesk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 84319261079SEd Mastersa-sha2-512-cert-v01@openssh.com, 84419261079SEd Mastersa-sha2-256-cert-v01@openssh.com, 84519261079SEd Mastessh-ed25519, 8469ded3306SDag-Erling Smørgravecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 84719261079SEd Mastesk-ssh-ed25519@openssh.com, 84819261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com, 849cea0d368SEd Mastersa-sha2-512,rsa-sha2-256 850eccfee6eSDag-Erling Smørgrav.Ed 851eccfee6eSDag-Erling Smørgrav.Pp 85219261079SEd MasteThe list of available signature algorithms may also be obtained using 85319261079SEd Maste.Qq ssh -Q HostKeyAlgorithms . 854545d5ecaSDag-Erling Smørgrav.It Cm IgnoreRhosts 85519261079SEd MasteSpecifies whether to ignore per-user 856545d5ecaSDag-Erling Smørgrav.Pa .rhosts 857545d5ecaSDag-Erling Smørgravand 858545d5ecaSDag-Erling Smørgrav.Pa .shosts 85919261079SEd Mastefiles during 860545d5ecaSDag-Erling Smørgrav.Cm HostbasedAuthentication . 86119261079SEd MasteThe system-wide 862545d5ecaSDag-Erling Smørgrav.Pa /etc/hosts.equiv 863545d5ecaSDag-Erling Smørgravand 86435d4ccfbSDag-Erling Smørgrav.Pa /etc/ssh/shosts.equiv 86519261079SEd Masteare still used regardless of this setting. 86619261079SEd Maste.Pp 86719261079SEd MasteAccepted values are 86819261079SEd Maste.Cm yes 86919261079SEd Maste(the default) to ignore all per-user files, 87019261079SEd Maste.Cm shosts-only 87119261079SEd Masteto allow the use of 87219261079SEd Maste.Pa .shosts 87319261079SEd Mastebut to ignore 87419261079SEd Maste.Pa .rhosts 87519261079SEd Masteor 87619261079SEd Maste.Cm no 87719261079SEd Masteto allow both 87819261079SEd Maste.Pa .shosts 87919261079SEd Masteand 88019261079SEd Maste.Pa rhosts . 881545d5ecaSDag-Erling Smørgrav.It Cm IgnoreUserKnownHosts 882545d5ecaSDag-Erling SmørgravSpecifies whether 883333ee039SDag-Erling Smørgrav.Xr sshd 8 884545d5ecaSDag-Erling Smørgravshould ignore the user's 885d4ecd108SDag-Erling Smørgrav.Pa ~/.ssh/known_hosts 886545d5ecaSDag-Erling Smørgravduring 88747dd1d1bSDag-Erling Smørgrav.Cm HostbasedAuthentication 88847dd1d1bSDag-Erling Smørgravand use only the system-wide known hosts file 88938a52bd3SEd Maste.Pa /etc/ssh/ssh_known_hosts . 890545d5ecaSDag-Erling SmørgravThe default is 89119261079SEd Maste.Dq no . 89219261079SEd Maste.It Cm Include 89319261079SEd MasteInclude the specified configuration file(s). 89419261079SEd MasteMultiple pathnames may be specified and each pathname may contain 89519261079SEd Maste.Xr glob 7 89619261079SEd Mastewildcards that will be expanded and processed in lexical order. 89719261079SEd MasteFiles without absolute paths are assumed to be in 89819261079SEd Maste.Pa /etc/ssh . 89919261079SEd MasteAn 90019261079SEd Maste.Cm Include 90119261079SEd Mastedirective may appear inside a 90219261079SEd Maste.Cm Match 90319261079SEd Masteblock 90419261079SEd Masteto perform conditional inclusion. 9054a421b63SDag-Erling Smørgrav.It Cm IPQoS 9064a421b63SDag-Erling SmørgravSpecifies the IPv4 type-of-service or DSCP class for the connection. 9074a421b63SDag-Erling SmørgravAccepted values are 908ca86bcf2SDag-Erling Smørgrav.Cm af11 , 909ca86bcf2SDag-Erling Smørgrav.Cm af12 , 910ca86bcf2SDag-Erling Smørgrav.Cm af13 , 911ca86bcf2SDag-Erling Smørgrav.Cm af21 , 912ca86bcf2SDag-Erling Smørgrav.Cm af22 , 913ca86bcf2SDag-Erling Smørgrav.Cm af23 , 914ca86bcf2SDag-Erling Smørgrav.Cm af31 , 915ca86bcf2SDag-Erling Smørgrav.Cm af32 , 916ca86bcf2SDag-Erling Smørgrav.Cm af33 , 917ca86bcf2SDag-Erling Smørgrav.Cm af41 , 918ca86bcf2SDag-Erling Smørgrav.Cm af42 , 919ca86bcf2SDag-Erling Smørgrav.Cm af43 , 920ca86bcf2SDag-Erling Smørgrav.Cm cs0 , 921ca86bcf2SDag-Erling Smørgrav.Cm cs1 , 922ca86bcf2SDag-Erling Smørgrav.Cm cs2 , 923ca86bcf2SDag-Erling Smørgrav.Cm cs3 , 924ca86bcf2SDag-Erling Smørgrav.Cm cs4 , 925ca86bcf2SDag-Erling Smørgrav.Cm cs5 , 926ca86bcf2SDag-Erling Smørgrav.Cm cs6 , 927ca86bcf2SDag-Erling Smørgrav.Cm cs7 , 928ca86bcf2SDag-Erling Smørgrav.Cm ef , 92919261079SEd Maste.Cm le , 930ca86bcf2SDag-Erling Smørgrav.Cm lowdelay , 931ca86bcf2SDag-Erling Smørgrav.Cm throughput , 932ca86bcf2SDag-Erling Smørgrav.Cm reliability , 9334f52dfbbSDag-Erling Smørgrava numeric value, or 9344f52dfbbSDag-Erling Smørgrav.Cm none 9354f52dfbbSDag-Erling Smørgravto use the operating system default. 9364a421b63SDag-Erling SmørgravThis option may take one or two arguments, separated by whitespace. 9374a421b63SDag-Erling SmørgravIf one argument is specified, it is used as the packet class unconditionally. 9384a421b63SDag-Erling SmørgravIf two values are specified, the first is automatically selected for 9394a421b63SDag-Erling Smørgravinteractive sessions and the second for non-interactive sessions. 9404a421b63SDag-Erling SmørgravThe default is 941190cef3dSDag-Erling Smørgrav.Cm af21 942190cef3dSDag-Erling Smørgrav(Low-Latency Data) 9434a421b63SDag-Erling Smørgravfor interactive sessions and 944190cef3dSDag-Erling Smørgrav.Cm cs1 945190cef3dSDag-Erling Smørgrav(Lower Effort) 9464a421b63SDag-Erling Smørgravfor non-interactive sessions. 947b83788ffSDag-Erling Smørgrav.It Cm KbdInteractiveAuthentication 948b83788ffSDag-Erling SmørgravSpecifies whether to allow keyboard-interactive authentication. 94919261079SEd MasteAll authentication styles from 95019261079SEd Maste.Xr login.conf 5 95119261079SEd Masteare supported. 95219261079SEd MasteThe default is 95319261079SEd Maste.Cm yes . 954b83788ffSDag-Erling SmørgravThe argument to this keyword must be 955ca86bcf2SDag-Erling Smørgrav.Cm yes 956b83788ffSDag-Erling Smørgravor 957ca86bcf2SDag-Erling Smørgrav.Cm no . 958b83788ffSDag-Erling Smørgrav.Cm ChallengeResponseAuthentication 95919261079SEd Masteis a deprecated alias for this. 960545d5ecaSDag-Erling Smørgrav.It Cm KerberosAuthentication 961cf2b5f3bSDag-Erling SmørgravSpecifies whether the password provided by the user for 962545d5ecaSDag-Erling Smørgrav.Cm PasswordAuthentication 963cf2b5f3bSDag-Erling Smørgravwill be validated through the Kerberos KDC. 964545d5ecaSDag-Erling SmørgravTo use this option, the server needs a 965545d5ecaSDag-Erling SmørgravKerberos servtab which allows the verification of the KDC's identity. 966333ee039SDag-Erling SmørgravThe default is 967ca86bcf2SDag-Erling Smørgrav.Cm no . 9685962c0e9SDag-Erling Smørgrav.It Cm KerberosGetAFSToken 969b74df5b2SDag-Erling SmørgravIf AFS is active and the user has a Kerberos 5 TGT, attempt to acquire 9705962c0e9SDag-Erling Smørgravan AFS token before accessing the user's home directory. 971333ee039SDag-Erling SmørgravThe default is 972ca86bcf2SDag-Erling Smørgrav.Cm no . 973545d5ecaSDag-Erling Smørgrav.It Cm KerberosOrLocalPasswd 974333ee039SDag-Erling SmørgravIf password authentication through Kerberos fails then 975545d5ecaSDag-Erling Smørgravthe password will be validated via any additional local mechanism 976545d5ecaSDag-Erling Smørgravsuch as 977545d5ecaSDag-Erling Smørgrav.Pa /etc/passwd . 978333ee039SDag-Erling SmørgravThe default is 979ca86bcf2SDag-Erling Smørgrav.Cm yes . 980545d5ecaSDag-Erling Smørgrav.It Cm KerberosTicketCleanup 981545d5ecaSDag-Erling SmørgravSpecifies whether to automatically destroy the user's ticket cache 982545d5ecaSDag-Erling Smørgravfile on logout. 983333ee039SDag-Erling SmørgravThe default is 984ca86bcf2SDag-Erling Smørgrav.Cm yes . 9854a421b63SDag-Erling Smørgrav.It Cm KexAlgorithms 9864a421b63SDag-Erling SmørgravSpecifies the available KEX (Key Exchange) algorithms. 9874a421b63SDag-Erling SmørgravMultiple algorithms must be comma-separated. 98819261079SEd MasteAlternately if the specified list begins with a 989eccfee6eSDag-Erling Smørgrav.Sq + 990e9e8876aSEd Mastecharacter, then the specified algorithms will be appended to the default set 991eccfee6eSDag-Erling Smørgravinstead of replacing them. 99219261079SEd MasteIf the specified list begins with a 993d93a896eSDag-Erling Smørgrav.Sq - 994e9e8876aSEd Mastecharacter, then the specified algorithms (including wildcards) will be removed 995d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them. 99619261079SEd MasteIf the specified list begins with a 99719261079SEd Maste.Sq ^ 998e9e8876aSEd Mastecharacter, then the specified algorithms will be placed at the head of the 99919261079SEd Mastedefault set. 1000a0ee8cc6SDag-Erling SmørgravThe supported algorithms are: 1001a0ee8cc6SDag-Erling Smørgrav.Pp 1002a0ee8cc6SDag-Erling Smørgrav.Bl -item -compact -offset indent 1003a0ee8cc6SDag-Erling Smørgrav.It 1004ca86bcf2SDag-Erling Smørgravcurve25519-sha256 1005ca86bcf2SDag-Erling Smørgrav.It 1006a0ee8cc6SDag-Erling Smørgravcurve25519-sha256@libssh.org 1007a0ee8cc6SDag-Erling Smørgrav.It 1008a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group1-sha1 1009a0ee8cc6SDag-Erling Smørgrav.It 1010a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group14-sha1 1011a0ee8cc6SDag-Erling Smørgrav.It 101247dd1d1bSDag-Erling Smørgravdiffie-hellman-group14-sha256 101347dd1d1bSDag-Erling Smørgrav.It 101447dd1d1bSDag-Erling Smørgravdiffie-hellman-group16-sha512 101547dd1d1bSDag-Erling Smørgrav.It 101647dd1d1bSDag-Erling Smørgravdiffie-hellman-group18-sha512 101747dd1d1bSDag-Erling Smørgrav.It 1018a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group-exchange-sha1 1019a0ee8cc6SDag-Erling Smørgrav.It 1020a0ee8cc6SDag-Erling Smørgravdiffie-hellman-group-exchange-sha256 1021a0ee8cc6SDag-Erling Smørgrav.It 1022a0ee8cc6SDag-Erling Smørgravecdh-sha2-nistp256 1023a0ee8cc6SDag-Erling Smørgrav.It 1024a0ee8cc6SDag-Erling Smørgravecdh-sha2-nistp384 1025a0ee8cc6SDag-Erling Smørgrav.It 1026a0ee8cc6SDag-Erling Smørgravecdh-sha2-nistp521 102719261079SEd Maste.It 102819261079SEd Mastesntrup761x25519-sha512@openssh.com 1029a0ee8cc6SDag-Erling Smørgrav.El 1030a0ee8cc6SDag-Erling Smørgrav.Pp 1031a0ee8cc6SDag-Erling SmørgravThe default is: 1032f7167e0eSDag-Erling Smørgrav.Bd -literal -offset indent 103387c1498dSEd Mastesntrup761x25519-sha512@openssh.com, 1034ca86bcf2SDag-Erling Smørgravcurve25519-sha256,curve25519-sha256@libssh.org, 1035f7167e0eSDag-Erling Smørgravecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, 1036f7167e0eSDag-Erling Smørgravdiffie-hellman-group-exchange-sha256, 103747dd1d1bSDag-Erling Smørgravdiffie-hellman-group16-sha512,diffie-hellman-group18-sha512, 103819261079SEd Mastediffie-hellman-group14-sha256 1039f7167e0eSDag-Erling Smørgrav.Ed 1040bc5531deSDag-Erling Smørgrav.Pp 1041ca86bcf2SDag-Erling SmørgravThe list of available key exchange algorithms may also be obtained using 104219261079SEd Maste.Qq ssh -Q KexAlgorithms . 1043545d5ecaSDag-Erling Smørgrav.It Cm ListenAddress 1044545d5ecaSDag-Erling SmørgravSpecifies the local addresses 1045333ee039SDag-Erling Smørgrav.Xr sshd 8 1046545d5ecaSDag-Erling Smørgravshould listen on. 1047545d5ecaSDag-Erling SmørgravThe following forms may be used: 1048545d5ecaSDag-Erling Smørgrav.Pp 1049545d5ecaSDag-Erling Smørgrav.Bl -item -offset indent -compact 1050545d5ecaSDag-Erling Smørgrav.It 1051545d5ecaSDag-Erling Smørgrav.Cm ListenAddress 1052545d5ecaSDag-Erling Smørgrav.Sm off 105347dd1d1bSDag-Erling Smørgrav.Ar hostname | address 1054545d5ecaSDag-Erling Smørgrav.Sm on 105547dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain 1056545d5ecaSDag-Erling Smørgrav.It 1057545d5ecaSDag-Erling Smørgrav.Cm ListenAddress 1058545d5ecaSDag-Erling Smørgrav.Sm off 105947dd1d1bSDag-Erling Smørgrav.Ar hostname : port 1060545d5ecaSDag-Erling Smørgrav.Sm on 106147dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain 1062545d5ecaSDag-Erling Smørgrav.It 1063545d5ecaSDag-Erling Smørgrav.Cm ListenAddress 1064545d5ecaSDag-Erling Smørgrav.Sm off 106547dd1d1bSDag-Erling Smørgrav.Ar IPv4_address : port 1066545d5ecaSDag-Erling Smørgrav.Sm on 106747dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain 106847dd1d1bSDag-Erling Smørgrav.It 106947dd1d1bSDag-Erling Smørgrav.Cm ListenAddress 107047dd1d1bSDag-Erling Smørgrav.Sm off 107147dd1d1bSDag-Erling Smørgrav.Oo Ar hostname | address Oc : Ar port 107247dd1d1bSDag-Erling Smørgrav.Sm on 107347dd1d1bSDag-Erling Smørgrav.Op Cm rdomain Ar domain 1074545d5ecaSDag-Erling Smørgrav.El 1075545d5ecaSDag-Erling Smørgrav.Pp 107647dd1d1bSDag-Erling SmørgravThe optional 107747dd1d1bSDag-Erling Smørgrav.Cm rdomain 107847dd1d1bSDag-Erling Smørgravqualifier requests 107947dd1d1bSDag-Erling Smørgrav.Xr sshd 8 108047dd1d1bSDag-Erling Smørgravlisten in an explicit routing domain. 1081545d5ecaSDag-Erling SmørgravIf 1082545d5ecaSDag-Erling Smørgrav.Ar port 1083545d5ecaSDag-Erling Smørgravis not specified, 1084557f75e5SDag-Erling Smørgravsshd will listen on the address and all 1085545d5ecaSDag-Erling Smørgrav.Cm Port 1086cf2b5f3bSDag-Erling Smørgravoptions specified. 108747dd1d1bSDag-Erling SmørgravThe default is to listen on all local addresses on the current default 108847dd1d1bSDag-Erling Smørgravrouting domain. 1089e73e9afaSDag-Erling SmørgravMultiple 1090545d5ecaSDag-Erling Smørgrav.Cm ListenAddress 1091cf2b5f3bSDag-Erling Smørgravoptions are permitted. 109247dd1d1bSDag-Erling SmørgravFor more information on routing domains, see 109347dd1d1bSDag-Erling Smørgrav.Xr rdomain 4 . 1094545d5ecaSDag-Erling Smørgrav.It Cm LoginGraceTime 1095545d5ecaSDag-Erling SmørgravThe server disconnects after this time if the user has not 1096545d5ecaSDag-Erling Smørgravsuccessfully logged in. 1097545d5ecaSDag-Erling SmørgravIf the value is 0, there is no time limit. 1098f388f5efSDag-Erling SmørgravThe default is 120 seconds. 1099545d5ecaSDag-Erling Smørgrav.It Cm LogLevel 1100545d5ecaSDag-Erling SmørgravGives the verbosity level that is used when logging messages from 1101333ee039SDag-Erling Smørgrav.Xr sshd 8 . 1102545d5ecaSDag-Erling SmørgravThe possible values are: 1103333ee039SDag-Erling SmørgravQUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. 1104e73e9afaSDag-Erling SmørgravThe default is INFO. 1105e73e9afaSDag-Erling SmørgravDEBUG and DEBUG1 are equivalent. 1106e73e9afaSDag-Erling SmørgravDEBUG2 and DEBUG3 each specify higher levels of debugging output. 1107e73e9afaSDag-Erling SmørgravLogging with a DEBUG level violates the privacy of users and is not recommended. 110819261079SEd Maste.It Cm LogVerbose 110919261079SEd MasteSpecify one or more overrides to LogLevel. 111019261079SEd MasteAn override consists of a pattern lists that matches the source file, function 111119261079SEd Masteand line number to force detailed logging for. 111219261079SEd MasteFor example, an override pattern of: 111319261079SEd Maste.Bd -literal -offset indent 111419261079SEd Mastekex.c:*:1000,*:kex_exchange_identification():*,packet.c:* 111519261079SEd Maste.Ed 111619261079SEd Maste.Pp 111719261079SEd Mastewould enable detailed logging for line 1000 of 111819261079SEd Maste.Pa kex.c , 111919261079SEd Masteeverything in the 112019261079SEd Maste.Fn kex_exchange_identification 112119261079SEd Mastefunction, and all code in the 112219261079SEd Maste.Pa packet.c 112319261079SEd Mastefile. 112419261079SEd MasteThis option is intended for debugging and no overrides are enabled by default. 1125545d5ecaSDag-Erling Smørgrav.It Cm MACs 1126545d5ecaSDag-Erling SmørgravSpecifies the available MAC (message authentication code) algorithms. 1127acc1a9efSDag-Erling SmørgravThe MAC algorithm is used for data integrity protection. 1128545d5ecaSDag-Erling SmørgravMultiple algorithms must be comma-separated. 112919261079SEd MasteIf the specified list begins with a 1130eccfee6eSDag-Erling Smørgrav.Sq + 1131eccfee6eSDag-Erling Smørgravcharacter, then the specified algorithms will be appended to the default set 1132eccfee6eSDag-Erling Smørgravinstead of replacing them. 113319261079SEd MasteIf the specified list begins with a 1134d93a896eSDag-Erling Smørgrav.Sq - 1135d93a896eSDag-Erling Smørgravcharacter, then the specified algorithms (including wildcards) will be removed 1136d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them. 113719261079SEd MasteIf the specified list begins with a 113819261079SEd Maste.Sq ^ 113919261079SEd Mastecharacter, then the specified algorithms will be placed at the head of the 114019261079SEd Mastedefault set. 1141eccfee6eSDag-Erling Smørgrav.Pp 11426888a9beSDag-Erling SmørgravThe algorithms that contain 1143ca86bcf2SDag-Erling Smørgrav.Qq -etm 11446888a9beSDag-Erling Smørgravcalculate the MAC after encryption (encrypt-then-mac). 11456888a9beSDag-Erling SmørgravThese are considered safer and their use recommended. 1146a0ee8cc6SDag-Erling SmørgravThe supported MACs are: 1147a0ee8cc6SDag-Erling Smørgrav.Pp 1148a0ee8cc6SDag-Erling Smørgrav.Bl -item -compact -offset indent 1149a0ee8cc6SDag-Erling Smørgrav.It 1150a0ee8cc6SDag-Erling Smørgravhmac-md5 1151a0ee8cc6SDag-Erling Smørgrav.It 1152a0ee8cc6SDag-Erling Smørgravhmac-md5-96 1153a0ee8cc6SDag-Erling Smørgrav.It 1154a0ee8cc6SDag-Erling Smørgravhmac-sha1 1155a0ee8cc6SDag-Erling Smørgrav.It 1156a0ee8cc6SDag-Erling Smørgravhmac-sha1-96 1157a0ee8cc6SDag-Erling Smørgrav.It 1158a0ee8cc6SDag-Erling Smørgravhmac-sha2-256 1159a0ee8cc6SDag-Erling Smørgrav.It 1160a0ee8cc6SDag-Erling Smørgravhmac-sha2-512 1161a0ee8cc6SDag-Erling Smørgrav.It 1162a0ee8cc6SDag-Erling Smørgravumac-64@openssh.com 1163a0ee8cc6SDag-Erling Smørgrav.It 1164a0ee8cc6SDag-Erling Smørgravumac-128@openssh.com 1165a0ee8cc6SDag-Erling Smørgrav.It 1166a0ee8cc6SDag-Erling Smørgravhmac-md5-etm@openssh.com 1167a0ee8cc6SDag-Erling Smørgrav.It 1168a0ee8cc6SDag-Erling Smørgravhmac-md5-96-etm@openssh.com 1169a0ee8cc6SDag-Erling Smørgrav.It 1170a0ee8cc6SDag-Erling Smørgravhmac-sha1-etm@openssh.com 1171a0ee8cc6SDag-Erling Smørgrav.It 1172a0ee8cc6SDag-Erling Smørgravhmac-sha1-96-etm@openssh.com 1173a0ee8cc6SDag-Erling Smørgrav.It 1174a0ee8cc6SDag-Erling Smørgravhmac-sha2-256-etm@openssh.com 1175a0ee8cc6SDag-Erling Smørgrav.It 1176a0ee8cc6SDag-Erling Smørgravhmac-sha2-512-etm@openssh.com 1177a0ee8cc6SDag-Erling Smørgrav.It 1178a0ee8cc6SDag-Erling Smørgravumac-64-etm@openssh.com 1179a0ee8cc6SDag-Erling Smørgrav.It 1180a0ee8cc6SDag-Erling Smørgravumac-128-etm@openssh.com 1181a0ee8cc6SDag-Erling Smørgrav.El 1182a0ee8cc6SDag-Erling Smørgrav.Pp 1183333ee039SDag-Erling SmørgravThe default is: 1184d4af9e69SDag-Erling Smørgrav.Bd -literal -offset indent 11856888a9beSDag-Erling Smørgravumac-64-etm@openssh.com,umac-128-etm@openssh.com, 11866888a9beSDag-Erling Smørgravhmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, 1187acc1a9efSDag-Erling Smørgravhmac-sha1-etm@openssh.com, 1188a0ee8cc6SDag-Erling Smørgravumac-64@openssh.com,umac-128@openssh.com, 1189acc1a9efSDag-Erling Smørgravhmac-sha2-256,hmac-sha2-512,hmac-sha1 1190d4af9e69SDag-Erling Smørgrav.Ed 1191bc5531deSDag-Erling Smørgrav.Pp 1192ca86bcf2SDag-Erling SmørgravThe list of available MAC algorithms may also be obtained using 1193ca86bcf2SDag-Erling Smørgrav.Qq ssh -Q mac . 1194333ee039SDag-Erling Smørgrav.It Cm Match 1195333ee039SDag-Erling SmørgravIntroduces a conditional block. 1196333ee039SDag-Erling SmørgravIf all of the criteria on the 1197333ee039SDag-Erling Smørgrav.Cm Match 1198333ee039SDag-Erling Smørgravline are satisfied, the keywords on the following lines override those 1199333ee039SDag-Erling Smørgravset in the global section of the config file, until either another 1200333ee039SDag-Erling Smørgrav.Cm Match 1201333ee039SDag-Erling Smørgravline or the end of the file. 1202b83788ffSDag-Erling SmørgravIf a keyword appears in multiple 1203b83788ffSDag-Erling Smørgrav.Cm Match 1204bc5531deSDag-Erling Smørgravblocks that are satisfied, only the first instance of the keyword is 1205b83788ffSDag-Erling Smørgravapplied. 1206d4af9e69SDag-Erling Smørgrav.Pp 1207333ee039SDag-Erling SmørgravThe arguments to 1208333ee039SDag-Erling Smørgrav.Cm Match 1209f7167e0eSDag-Erling Smørgravare one or more criteria-pattern pairs or the single token 1210f7167e0eSDag-Erling Smørgrav.Cm All 1211f7167e0eSDag-Erling Smørgravwhich matches all criteria. 1212333ee039SDag-Erling SmørgravThe available criteria are 1213333ee039SDag-Erling Smørgrav.Cm User , 1214333ee039SDag-Erling Smørgrav.Cm Group , 1215333ee039SDag-Erling Smørgrav.Cm Host , 1216462c32cbSDag-Erling Smørgrav.Cm LocalAddress , 1217462c32cbSDag-Erling Smørgrav.Cm LocalPort , 121847dd1d1bSDag-Erling Smørgrav.Cm RDomain , 1219333ee039SDag-Erling Smørgravand 122047dd1d1bSDag-Erling Smørgrav.Cm Address 122147dd1d1bSDag-Erling Smørgrav(with 122247dd1d1bSDag-Erling Smørgrav.Cm RDomain 122347dd1d1bSDag-Erling Smørgravrepresenting the 122447dd1d1bSDag-Erling Smørgrav.Xr rdomain 4 122519261079SEd Masteon which the connection was received). 122647dd1d1bSDag-Erling Smørgrav.Pp 1227d4af9e69SDag-Erling SmørgravThe match patterns may consist of single entries or comma-separated 1228d4af9e69SDag-Erling Smørgravlists and may use the wildcard and negation operators described in the 1229ca86bcf2SDag-Erling Smørgrav.Sx PATTERNS 1230ca86bcf2SDag-Erling Smørgravsection of 1231d4af9e69SDag-Erling Smørgrav.Xr ssh_config 5 . 1232d4af9e69SDag-Erling Smørgrav.Pp 1233d4af9e69SDag-Erling SmørgravThe patterns in an 1234d4af9e69SDag-Erling Smørgrav.Cm Address 1235d4af9e69SDag-Erling Smørgravcriteria may additionally contain addresses to match in CIDR 1236ca86bcf2SDag-Erling Smørgravaddress/masklen format, 1237ca86bcf2SDag-Erling Smørgravsuch as 192.0.2.0/24 or 2001:db8::/32. 1238d4af9e69SDag-Erling SmørgravNote that the mask length provided must be consistent with the address - 1239d4af9e69SDag-Erling Smørgravit is an error to specify a mask length that is too long for the address 1240d4af9e69SDag-Erling Smørgravor one with bits set in this host portion of the address. 1241ca86bcf2SDag-Erling SmørgravFor example, 192.0.2.0/33 and 192.0.2.0/8, respectively. 1242d4af9e69SDag-Erling Smørgrav.Pp 1243333ee039SDag-Erling SmørgravOnly a subset of keywords may be used on the lines following a 1244333ee039SDag-Erling Smørgrav.Cm Match 1245333ee039SDag-Erling Smørgravkeyword. 1246333ee039SDag-Erling SmørgravAvailable keywords are 1247462c32cbSDag-Erling Smørgrav.Cm AcceptEnv , 1248cce7d346SDag-Erling Smørgrav.Cm AllowAgentForwarding , 1249462c32cbSDag-Erling Smørgrav.Cm AllowGroups , 1250bc5531deSDag-Erling Smørgrav.Cm AllowStreamLocalForwarding , 1251333ee039SDag-Erling Smørgrav.Cm AllowTcpForwarding , 1252462c32cbSDag-Erling Smørgrav.Cm AllowUsers , 12536888a9beSDag-Erling Smørgrav.Cm AuthenticationMethods , 12546888a9beSDag-Erling Smørgrav.Cm AuthorizedKeysCommand , 12556888a9beSDag-Erling Smørgrav.Cm AuthorizedKeysCommandUser , 1256e2f6069cSDag-Erling Smørgrav.Cm AuthorizedKeysFile , 1257acc1a9efSDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand , 1258acc1a9efSDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommandUser , 1259e2f6069cSDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile , 1260d4af9e69SDag-Erling Smørgrav.Cm Banner , 12611323ec57SEd Maste.Cm CASignatureAlgorithms , 1262*f374ba41SEd Maste.Cm ChannelTimeout , 1263d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory , 1264ca86bcf2SDag-Erling Smørgrav.Cm ClientAliveCountMax , 1265ca86bcf2SDag-Erling Smørgrav.Cm ClientAliveInterval , 1266462c32cbSDag-Erling Smørgrav.Cm DenyGroups , 1267462c32cbSDag-Erling Smørgrav.Cm DenyUsers , 126819261079SEd Maste.Cm DisableForwarding , 12691323ec57SEd Maste.Cm ExposeAuthInfo , 1270333ee039SDag-Erling Smørgrav.Cm ForceCommand , 1271333ee039SDag-Erling Smørgrav.Cm GatewayPorts , 1272d4af9e69SDag-Erling Smørgrav.Cm GSSAPIAuthentication , 127319261079SEd Maste.Cm HostbasedAcceptedAlgorithms , 1274d4af9e69SDag-Erling Smørgrav.Cm HostbasedAuthentication , 1275e2f6069cSDag-Erling Smørgrav.Cm HostbasedUsesNameFromPacketOnly , 127619261079SEd Maste.Cm IgnoreRhosts , 127719261079SEd Maste.Cm Include , 1278bc5531deSDag-Erling Smørgrav.Cm IPQoS , 1279d4af9e69SDag-Erling Smørgrav.Cm KbdInteractiveAuthentication , 1280d4af9e69SDag-Erling Smørgrav.Cm KerberosAuthentication , 12814f52dfbbSDag-Erling Smørgrav.Cm LogLevel , 1282d4af9e69SDag-Erling Smørgrav.Cm MaxAuthTries , 1283d4af9e69SDag-Erling Smørgrav.Cm MaxSessions , 1284d4af9e69SDag-Erling Smørgrav.Cm PasswordAuthentication , 1285cce7d346SDag-Erling Smørgrav.Cm PermitEmptyPasswords , 1286190cef3dSDag-Erling Smørgrav.Cm PermitListen , 1287333ee039SDag-Erling Smørgrav.Cm PermitOpen , 1288d4af9e69SDag-Erling Smørgrav.Cm PermitRootLogin , 1289f7167e0eSDag-Erling Smørgrav.Cm PermitTTY , 1290e2f6069cSDag-Erling Smørgrav.Cm PermitTunnel , 1291a0ee8cc6SDag-Erling Smørgrav.Cm PermitUserRC , 129219261079SEd Maste.Cm PubkeyAcceptedAlgorithms , 1293b15c8340SDag-Erling Smørgrav.Cm PubkeyAuthentication , 12941323ec57SEd Maste.Cm PubkeyAuthOptions , 1295e4a9863fSDag-Erling Smørgrav.Cm RekeyLimit , 1296bc5531deSDag-Erling Smørgrav.Cm RevokedKeys , 129747dd1d1bSDag-Erling Smørgrav.Cm RDomain , 1298190cef3dSDag-Erling Smørgrav.Cm SetEnv , 1299bc5531deSDag-Erling Smørgrav.Cm StreamLocalBindMask , 1300bc5531deSDag-Erling Smørgrav.Cm StreamLocalBindUnlink , 1301bc5531deSDag-Erling Smørgrav.Cm TrustedUserCAKeys , 1302*f374ba41SEd Maste.Cm UnusedConnectionTimeout , 1303333ee039SDag-Erling Smørgrav.Cm X11DisplayOffset , 1304cce7d346SDag-Erling Smørgrav.Cm X11Forwarding 1305333ee039SDag-Erling Smørgravand 130619261079SEd Maste.Cm X11UseLocalhost . 130721e764dfSDag-Erling Smørgrav.It Cm MaxAuthTries 130821e764dfSDag-Erling SmørgravSpecifies the maximum number of authentication attempts permitted per 130921e764dfSDag-Erling Smørgravconnection. 131021e764dfSDag-Erling SmørgravOnce the number of failures reaches half this value, 131121e764dfSDag-Erling Smørgravadditional failures are logged. 131221e764dfSDag-Erling SmørgravThe default is 6. 1313d4af9e69SDag-Erling Smørgrav.It Cm MaxSessions 1314acc1a9efSDag-Erling SmørgravSpecifies the maximum number of open shell, login or subsystem (e.g. sftp) 1315acc1a9efSDag-Erling Smørgravsessions permitted per network connection. 1316acc1a9efSDag-Erling SmørgravMultiple sessions may be established by clients that support connection 1317acc1a9efSDag-Erling Smørgravmultiplexing. 1318acc1a9efSDag-Erling SmørgravSetting 1319acc1a9efSDag-Erling Smørgrav.Cm MaxSessions 1320acc1a9efSDag-Erling Smørgravto 1 will effectively disable session multiplexing, whereas setting it to 0 1321acc1a9efSDag-Erling Smørgravwill prevent all shell, login and subsystem sessions while still permitting 1322acc1a9efSDag-Erling Smørgravforwarding. 1323d4af9e69SDag-Erling SmørgravThe default is 10. 1324545d5ecaSDag-Erling Smørgrav.It Cm MaxStartups 1325545d5ecaSDag-Erling SmørgravSpecifies the maximum number of concurrent unauthenticated connections to the 1326333ee039SDag-Erling SmørgravSSH daemon. 1327545d5ecaSDag-Erling SmørgravAdditional connections will be dropped until authentication succeeds or the 1328545d5ecaSDag-Erling Smørgrav.Cm LoginGraceTime 1329545d5ecaSDag-Erling Smørgravexpires for a connection. 13306888a9beSDag-Erling SmørgravThe default is 10:30:100. 1331545d5ecaSDag-Erling Smørgrav.Pp 1332545d5ecaSDag-Erling SmørgravAlternatively, random early drop can be enabled by specifying 1333545d5ecaSDag-Erling Smørgravthe three colon separated values 1334ca86bcf2SDag-Erling Smørgravstart:rate:full (e.g. "10:30:60"). 1335333ee039SDag-Erling Smørgrav.Xr sshd 8 1336ca86bcf2SDag-Erling Smørgravwill refuse connection attempts with a probability of rate/100 (30%) 1337ca86bcf2SDag-Erling Smørgravif there are currently start (10) unauthenticated connections. 1338545d5ecaSDag-Erling SmørgravThe probability increases linearly and all connection attempts 1339ca86bcf2SDag-Erling Smørgravare refused if the number of unauthenticated connections reaches full (60). 134019261079SEd Maste.It Cm ModuliFile 134119261079SEd MasteSpecifies the 134219261079SEd Maste.Xr moduli 5 134319261079SEd Mastefile that contains the Diffie-Hellman groups used for the 134419261079SEd Maste.Dq diffie-hellman-group-exchange-sha1 134519261079SEd Masteand 134619261079SEd Maste.Dq diffie-hellman-group-exchange-sha256 134719261079SEd Mastekey exchange methods. 134819261079SEd MasteThe default is 134919261079SEd Maste.Pa /etc/moduli . 1350545d5ecaSDag-Erling Smørgrav.It Cm PasswordAuthentication 1351545d5ecaSDag-Erling SmørgravSpecifies whether password authentication is allowed. 13529f009e06SEd MasteNote that passwords may also be accepted via 13539f009e06SEd Maste.Cm KbdInteractiveAuthentication . 1354d4af9e69SDag-Erling SmørgravSee also 1355d4af9e69SDag-Erling Smørgrav.Cm UsePAM . 1356545d5ecaSDag-Erling SmørgravThe default is 1357ca86bcf2SDag-Erling Smørgrav.Cm no . 1358545d5ecaSDag-Erling Smørgrav.It Cm PermitEmptyPasswords 1359545d5ecaSDag-Erling SmørgravWhen password authentication is allowed, it specifies whether the 1360545d5ecaSDag-Erling Smørgravserver allows login to accounts with empty password strings. 1361545d5ecaSDag-Erling SmørgravThe default is 1362ca86bcf2SDag-Erling Smørgrav.Cm no . 1363190cef3dSDag-Erling Smørgrav.It Cm PermitListen 1364190cef3dSDag-Erling SmørgravSpecifies the addresses/ports on which a remote TCP port forwarding may listen. 1365190cef3dSDag-Erling SmørgravThe listen specification must be one of the following forms: 1366190cef3dSDag-Erling Smørgrav.Pp 1367190cef3dSDag-Erling Smørgrav.Bl -item -offset indent -compact 1368190cef3dSDag-Erling Smørgrav.It 1369190cef3dSDag-Erling Smørgrav.Cm PermitListen 1370190cef3dSDag-Erling Smørgrav.Sm off 1371190cef3dSDag-Erling Smørgrav.Ar port 1372190cef3dSDag-Erling Smørgrav.Sm on 1373190cef3dSDag-Erling Smørgrav.It 1374190cef3dSDag-Erling Smørgrav.Cm PermitListen 1375190cef3dSDag-Erling Smørgrav.Sm off 1376190cef3dSDag-Erling Smørgrav.Ar host : port 1377190cef3dSDag-Erling Smørgrav.Sm on 1378190cef3dSDag-Erling Smørgrav.El 1379190cef3dSDag-Erling Smørgrav.Pp 1380190cef3dSDag-Erling SmørgravMultiple permissions may be specified by separating them with whitespace. 1381190cef3dSDag-Erling SmørgravAn argument of 1382190cef3dSDag-Erling Smørgrav.Cm any 1383190cef3dSDag-Erling Smørgravcan be used to remove all restrictions and permit any listen requests. 1384190cef3dSDag-Erling SmørgravAn argument of 1385190cef3dSDag-Erling Smørgrav.Cm none 1386190cef3dSDag-Erling Smørgravcan be used to prohibit all listen requests. 1387190cef3dSDag-Erling SmørgravThe host name may contain wildcards as described in the PATTERNS section in 1388190cef3dSDag-Erling Smørgrav.Xr ssh_config 5 . 1389190cef3dSDag-Erling SmørgravThe wildcard 1390190cef3dSDag-Erling Smørgrav.Sq * 1391190cef3dSDag-Erling Smørgravcan also be used in place of a port number to allow all ports. 1392190cef3dSDag-Erling SmørgravBy default all port forwarding listen requests are permitted. 1393190cef3dSDag-Erling SmørgravNote that the 1394190cef3dSDag-Erling Smørgrav.Cm GatewayPorts 1395190cef3dSDag-Erling Smørgravoption may further restrict which addresses may be listened on. 1396190cef3dSDag-Erling SmørgravNote also that 1397190cef3dSDag-Erling Smørgrav.Xr ssh 1 1398190cef3dSDag-Erling Smørgravwill request a listen host of 1399190cef3dSDag-Erling Smørgrav.Dq localhost 140019261079SEd Masteif no listen host was specifically requested, and this name is 1401190cef3dSDag-Erling Smørgravtreated differently to explicit localhost addresses of 1402190cef3dSDag-Erling Smørgrav.Dq 127.0.0.1 1403190cef3dSDag-Erling Smørgravand 1404190cef3dSDag-Erling Smørgrav.Dq ::1 . 1405333ee039SDag-Erling Smørgrav.It Cm PermitOpen 1406333ee039SDag-Erling SmørgravSpecifies the destinations to which TCP port forwarding is permitted. 1407333ee039SDag-Erling SmørgravThe forwarding specification must be one of the following forms: 1408333ee039SDag-Erling Smørgrav.Pp 1409333ee039SDag-Erling Smørgrav.Bl -item -offset indent -compact 1410333ee039SDag-Erling Smørgrav.It 1411333ee039SDag-Erling Smørgrav.Cm PermitOpen 1412333ee039SDag-Erling Smørgrav.Sm off 1413333ee039SDag-Erling Smørgrav.Ar host : port 1414333ee039SDag-Erling Smørgrav.Sm on 1415333ee039SDag-Erling Smørgrav.It 1416333ee039SDag-Erling Smørgrav.Cm PermitOpen 1417333ee039SDag-Erling Smørgrav.Sm off 1418333ee039SDag-Erling Smørgrav.Ar IPv4_addr : port 1419333ee039SDag-Erling Smørgrav.Sm on 1420333ee039SDag-Erling Smørgrav.It 1421333ee039SDag-Erling Smørgrav.Cm PermitOpen 1422333ee039SDag-Erling Smørgrav.Sm off 1423333ee039SDag-Erling Smørgrav.Ar \&[ IPv6_addr \&] : port 1424333ee039SDag-Erling Smørgrav.Sm on 1425333ee039SDag-Erling Smørgrav.El 1426333ee039SDag-Erling Smørgrav.Pp 1427333ee039SDag-Erling SmørgravMultiple forwards may be specified by separating them with whitespace. 1428333ee039SDag-Erling SmørgravAn argument of 1429ca86bcf2SDag-Erling Smørgrav.Cm any 1430333ee039SDag-Erling Smørgravcan be used to remove all restrictions and permit any forwarding requests. 1431462c32cbSDag-Erling SmørgravAn argument of 1432ca86bcf2SDag-Erling Smørgrav.Cm none 1433462c32cbSDag-Erling Smørgravcan be used to prohibit all forwarding requests. 1434076ad2f8SDag-Erling SmørgravThe wildcard 1435ca86bcf2SDag-Erling Smørgrav.Sq * 143619261079SEd Mastecan be used for host or port to allow all hosts or ports respectively. 143719261079SEd MasteOtherwise, no pattern matching or address lookups are performed on supplied 143819261079SEd Mastenames. 1439333ee039SDag-Erling SmørgravBy default all port forwarding requests are permitted. 1440545d5ecaSDag-Erling Smørgrav.It Cm PermitRootLogin 1441545d5ecaSDag-Erling SmørgravSpecifies whether root can log in using 1442545d5ecaSDag-Erling Smørgrav.Xr ssh 1 . 1443545d5ecaSDag-Erling SmørgravThe argument must be 1444ca86bcf2SDag-Erling Smørgrav.Cm yes , 1445ca86bcf2SDag-Erling Smørgrav.Cm prohibit-password , 1446ca86bcf2SDag-Erling Smørgrav.Cm forced-commands-only , 1447545d5ecaSDag-Erling Smørgravor 1448ca86bcf2SDag-Erling Smørgrav.Cm no . 1449545d5ecaSDag-Erling SmørgravThe default is 1450ca86bcf2SDag-Erling Smørgrav.Cm no . 1451810a15b1SDag-Erling SmørgravNote that if 1452810a15b1SDag-Erling Smørgrav.Cm ChallengeResponseAuthentication 1453ca86bcf2SDag-Erling Smørgravand 1454ca86bcf2SDag-Erling Smørgrav.Cm UsePAM 1455ca86bcf2SDag-Erling Smørgravare both 1456ca86bcf2SDag-Erling Smørgrav.Cm yes , 1457ca86bcf2SDag-Erling Smørgravthis setting may be overridden by the PAM policy. 1458545d5ecaSDag-Erling Smørgrav.Pp 1459545d5ecaSDag-Erling SmørgravIf this option is set to 1460ca86bcf2SDag-Erling Smørgrav.Cm prohibit-password 146147dd1d1bSDag-Erling Smørgrav(or its deprecated alias, 146247dd1d1bSDag-Erling Smørgrav.Cm without-password ) , 1463eccfee6eSDag-Erling Smørgravpassword and keyboard-interactive authentication are disabled for root. 1464545d5ecaSDag-Erling Smørgrav.Pp 1465545d5ecaSDag-Erling SmørgravIf this option is set to 1466ca86bcf2SDag-Erling Smørgrav.Cm forced-commands-only , 1467545d5ecaSDag-Erling Smørgravroot login with public key authentication will be allowed, 1468545d5ecaSDag-Erling Smørgravbut only if the 1469545d5ecaSDag-Erling Smørgrav.Ar command 1470545d5ecaSDag-Erling Smørgravoption has been specified 1471545d5ecaSDag-Erling Smørgrav(which may be useful for taking remote backups even if root login is 1472cf2b5f3bSDag-Erling Smørgravnormally not allowed). 1473cf2b5f3bSDag-Erling SmørgravAll other authentication methods are disabled for root. 1474545d5ecaSDag-Erling Smørgrav.Pp 1475545d5ecaSDag-Erling SmørgravIf this option is set to 1476ca86bcf2SDag-Erling Smørgrav.Cm no , 1477545d5ecaSDag-Erling Smørgravroot is not allowed to log in. 1478f7167e0eSDag-Erling Smørgrav.It Cm PermitTTY 1479f7167e0eSDag-Erling SmørgravSpecifies whether 1480f7167e0eSDag-Erling Smørgrav.Xr pty 4 1481f7167e0eSDag-Erling Smørgravallocation is permitted. 1482f7167e0eSDag-Erling SmørgravThe default is 1483ca86bcf2SDag-Erling Smørgrav.Cm yes . 1484ca86bcf2SDag-Erling Smørgrav.It Cm PermitTunnel 1485ca86bcf2SDag-Erling SmørgravSpecifies whether 1486ca86bcf2SDag-Erling Smørgrav.Xr tun 4 1487ca86bcf2SDag-Erling Smørgravdevice forwarding is allowed. 1488ca86bcf2SDag-Erling SmørgravThe argument must be 1489ca86bcf2SDag-Erling Smørgrav.Cm yes , 1490ca86bcf2SDag-Erling Smørgrav.Cm point-to-point 1491ca86bcf2SDag-Erling Smørgrav(layer 3), 1492ca86bcf2SDag-Erling Smørgrav.Cm ethernet 1493ca86bcf2SDag-Erling Smørgrav(layer 2), or 1494ca86bcf2SDag-Erling Smørgrav.Cm no . 1495ca86bcf2SDag-Erling SmørgravSpecifying 1496ca86bcf2SDag-Erling Smørgrav.Cm yes 1497ca86bcf2SDag-Erling Smørgravpermits both 1498ca86bcf2SDag-Erling Smørgrav.Cm point-to-point 1499ca86bcf2SDag-Erling Smørgravand 1500ca86bcf2SDag-Erling Smørgrav.Cm ethernet . 1501ca86bcf2SDag-Erling SmørgravThe default is 1502ca86bcf2SDag-Erling Smørgrav.Cm no . 1503ca86bcf2SDag-Erling Smørgrav.Pp 1504ca86bcf2SDag-Erling SmørgravIndependent of this setting, the permissions of the selected 1505ca86bcf2SDag-Erling Smørgrav.Xr tun 4 1506ca86bcf2SDag-Erling Smørgravdevice must allow access to the user. 1507f388f5efSDag-Erling Smørgrav.It Cm PermitUserEnvironment 1508f388f5efSDag-Erling SmørgravSpecifies whether 1509f388f5efSDag-Erling Smørgrav.Pa ~/.ssh/environment 1510f388f5efSDag-Erling Smørgravand 1511f388f5efSDag-Erling Smørgrav.Cm environment= 1512f388f5efSDag-Erling Smørgravoptions in 1513f388f5efSDag-Erling Smørgrav.Pa ~/.ssh/authorized_keys 1514f388f5efSDag-Erling Smørgravare processed by 1515333ee039SDag-Erling Smørgrav.Xr sshd 8 . 1516190cef3dSDag-Erling SmørgravValid options are 1517190cef3dSDag-Erling Smørgrav.Cm yes , 1518190cef3dSDag-Erling Smørgrav.Cm no 1519190cef3dSDag-Erling Smørgravor a pattern-list specifying which environment variable names to accept 1520190cef3dSDag-Erling Smørgrav(for example 1521190cef3dSDag-Erling Smørgrav.Qq LANG,LC_* ) . 1522f388f5efSDag-Erling SmørgravThe default is 1523ca86bcf2SDag-Erling Smørgrav.Cm no . 1524f388f5efSDag-Erling SmørgravEnabling environment processing may enable users to bypass access 1525f388f5efSDag-Erling Smørgravrestrictions in some configurations using mechanisms such as 1526f388f5efSDag-Erling Smørgrav.Ev LD_PRELOAD . 1527a0ee8cc6SDag-Erling Smørgrav.It Cm PermitUserRC 1528a0ee8cc6SDag-Erling SmørgravSpecifies whether any 1529a0ee8cc6SDag-Erling Smørgrav.Pa ~/.ssh/rc 1530a0ee8cc6SDag-Erling Smørgravfile is executed. 1531a0ee8cc6SDag-Erling SmørgravThe default is 1532ca86bcf2SDag-Erling Smørgrav.Cm yes . 153319261079SEd Maste.It Cm PerSourceMaxStartups 153419261079SEd MasteSpecifies the number of unauthenticated connections allowed from a 153519261079SEd Mastegiven source address, or 153619261079SEd Maste.Dq none 153719261079SEd Masteif there is no limit. 153819261079SEd MasteThis limit is applied in addition to 153919261079SEd Maste.Cm MaxStartups , 154019261079SEd Mastewhichever is lower. 154119261079SEd MasteThe default is 154219261079SEd Maste.Cm none . 154319261079SEd Maste.It Cm PerSourceNetBlockSize 154419261079SEd MasteSpecifies the number of bits of source address that are grouped together 154519261079SEd Mastefor the purposes of applying PerSourceMaxStartups limits. 154619261079SEd MasteValues for IPv4 and optionally IPv6 may be specified, separated by a colon. 154719261079SEd MasteThe default is 154819261079SEd Maste.Cm 32:128 , 154919261079SEd Mastewhich means each address is considered individually. 1550545d5ecaSDag-Erling Smørgrav.It Cm PidFile 1551a82e551fSDag-Erling SmørgravSpecifies the file that contains the process ID of the 1552557f75e5SDag-Erling SmørgravSSH daemon, or 1553ca86bcf2SDag-Erling Smørgrav.Cm none 1554557f75e5SDag-Erling Smørgravto not write one. 1555545d5ecaSDag-Erling SmørgravThe default is 1556545d5ecaSDag-Erling Smørgrav.Pa /var/run/sshd.pid . 1557545d5ecaSDag-Erling Smørgrav.It Cm Port 1558545d5ecaSDag-Erling SmørgravSpecifies the port number that 1559333ee039SDag-Erling Smørgrav.Xr sshd 8 1560545d5ecaSDag-Erling Smørgravlistens on. 1561545d5ecaSDag-Erling SmørgravThe default is 22. 1562545d5ecaSDag-Erling SmørgravMultiple options of this type are permitted. 1563545d5ecaSDag-Erling SmørgravSee also 1564545d5ecaSDag-Erling Smørgrav.Cm ListenAddress . 1565545d5ecaSDag-Erling Smørgrav.It Cm PrintLastLog 1566545d5ecaSDag-Erling SmørgravSpecifies whether 1567333ee039SDag-Erling Smørgrav.Xr sshd 8 1568aa49c926SDag-Erling Smørgravshould print the date and time of the last user login when a user logs 1569aa49c926SDag-Erling Smørgravin interactively. 1570545d5ecaSDag-Erling SmørgravThe default is 1571ca86bcf2SDag-Erling Smørgrav.Cm yes . 1572545d5ecaSDag-Erling Smørgrav.It Cm PrintMotd 1573545d5ecaSDag-Erling SmørgravSpecifies whether 1574333ee039SDag-Erling Smørgrav.Xr sshd 8 1575545d5ecaSDag-Erling Smørgravshould print 1576545d5ecaSDag-Erling Smørgrav.Pa /etc/motd 1577545d5ecaSDag-Erling Smørgravwhen a user logs in interactively. 1578545d5ecaSDag-Erling Smørgrav(On some systems it is also printed by the shell, 1579545d5ecaSDag-Erling Smørgrav.Pa /etc/profile , 1580545d5ecaSDag-Erling Smørgravor equivalent.) 1581545d5ecaSDag-Erling SmørgravThe default is 1582ca86bcf2SDag-Erling Smørgrav.Cm yes . 158319261079SEd Maste.It Cm PubkeyAcceptedAlgorithms 158419261079SEd MasteSpecifies the signature algorithms that will be accepted for public key 158519261079SEd Masteauthentication as a list of comma-separated patterns. 158619261079SEd MasteAlternately if the specified list begins with a 1587eccfee6eSDag-Erling Smørgrav.Sq + 158819261079SEd Mastecharacter, then the specified algorithms will be appended to the default set 1589eccfee6eSDag-Erling Smørgravinstead of replacing them. 159019261079SEd MasteIf the specified list begins with a 1591d93a896eSDag-Erling Smørgrav.Sq - 159219261079SEd Mastecharacter, then the specified algorithms (including wildcards) will be removed 1593d93a896eSDag-Erling Smørgravfrom the default set instead of replacing them. 159419261079SEd MasteIf the specified list begins with a 159519261079SEd Maste.Sq ^ 159619261079SEd Mastecharacter, then the specified algorithms will be placed at the head of the 159719261079SEd Mastedefault set. 1598eccfee6eSDag-Erling SmørgravThe default for this option is: 1599eccfee6eSDag-Erling Smørgrav.Bd -literal -offset 3n 160019261079SEd Mastessh-ed25519-cert-v01@openssh.com, 1601eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp256-cert-v01@openssh.com, 1602eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp384-cert-v01@openssh.com, 1603eccfee6eSDag-Erling Smørgravecdsa-sha2-nistp521-cert-v01@openssh.com, 160419261079SEd Mastesk-ssh-ed25519-cert-v01@openssh.com, 160519261079SEd Mastesk-ecdsa-sha2-nistp256-cert-v01@openssh.com, 160619261079SEd Mastersa-sha2-512-cert-v01@openssh.com, 160719261079SEd Mastersa-sha2-256-cert-v01@openssh.com, 160819261079SEd Mastessh-ed25519, 16099ded3306SDag-Erling Smørgravecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, 161019261079SEd Mastesk-ssh-ed25519@openssh.com, 161119261079SEd Mastesk-ecdsa-sha2-nistp256@openssh.com, 1612cea0d368SEd Mastersa-sha2-512,rsa-sha2-256 1613eccfee6eSDag-Erling Smørgrav.Ed 1614eccfee6eSDag-Erling Smørgrav.Pp 161519261079SEd MasteThe list of available signature algorithms may also be obtained using 161619261079SEd Maste.Qq ssh -Q PubkeyAcceptedAlgorithms . 161719261079SEd Maste.It Cm PubkeyAuthOptions 161819261079SEd MasteSets one or more public key authentication options. 161919261079SEd MasteThe supported keywords are: 162019261079SEd Maste.Cm none 162119261079SEd Maste(the default; indicating no additional options are enabled), 162219261079SEd Maste.Cm touch-required 162319261079SEd Masteand 162419261079SEd Maste.Cm verify-required . 162519261079SEd Maste.Pp 162619261079SEd MasteThe 162719261079SEd Maste.Cm touch-required 162819261079SEd Masteoption causes public key authentication using a FIDO authenticator algorithm 162919261079SEd Maste(i.e.\& 163019261079SEd Maste.Cm ecdsa-sk 163119261079SEd Masteor 163219261079SEd Maste.Cm ed25519-sk ) 163319261079SEd Masteto always require the signature to attest that a physically present user 163419261079SEd Masteexplicitly confirmed the authentication (usually by touching the authenticator). 163519261079SEd MasteBy default, 163619261079SEd Maste.Xr sshd 8 163719261079SEd Masterequires user presence unless overridden with an authorized_keys option. 163819261079SEd MasteThe 163919261079SEd Maste.Cm touch-required 164019261079SEd Masteflag disables this override. 164119261079SEd Maste.Pp 164219261079SEd MasteThe 164319261079SEd Maste.Cm verify-required 164419261079SEd Masteoption requires a FIDO key signature attest that the user was verified, 164519261079SEd Mastee.g. via a PIN. 164619261079SEd Maste.Pp 164719261079SEd MasteNeither the 164819261079SEd Maste.Cm touch-required 164919261079SEd Masteor 165019261079SEd Maste.Cm verify-required 165119261079SEd Masteoptions have any effect for other, non-FIDO, public key types. 1652545d5ecaSDag-Erling Smørgrav.It Cm PubkeyAuthentication 1653545d5ecaSDag-Erling SmørgravSpecifies whether public key authentication is allowed. 1654545d5ecaSDag-Erling SmørgravThe default is 1655ca86bcf2SDag-Erling Smørgrav.Cm yes . 1656e4a9863fSDag-Erling Smørgrav.It Cm RekeyLimit 165738a52bd3SEd MasteSpecifies the maximum amount of data that may be transmitted or received 165838a52bd3SEd Mastebefore the session key is renegotiated, optionally followed by a maximum 165938a52bd3SEd Masteamount of time that may pass before the session key is renegotiated. 1660e4a9863fSDag-Erling SmørgravThe first argument is specified in bytes and may have a suffix of 1661e4a9863fSDag-Erling Smørgrav.Sq K , 1662e4a9863fSDag-Erling Smørgrav.Sq M , 1663e4a9863fSDag-Erling Smørgravor 1664e4a9863fSDag-Erling Smørgrav.Sq G 1665e4a9863fSDag-Erling Smørgravto indicate Kilobytes, Megabytes, or Gigabytes, respectively. 1666e4a9863fSDag-Erling SmørgravThe default is between 1667e4a9863fSDag-Erling Smørgrav.Sq 1G 1668e4a9863fSDag-Erling Smørgravand 1669e4a9863fSDag-Erling Smørgrav.Sq 4G , 1670e4a9863fSDag-Erling Smørgravdepending on the cipher. 1671e4a9863fSDag-Erling SmørgravThe optional second value is specified in seconds and may use any of the 1672e4a9863fSDag-Erling Smørgravunits documented in the 1673e4a9863fSDag-Erling Smørgrav.Sx TIME FORMATS 1674e4a9863fSDag-Erling Smørgravsection. 1675e4a9863fSDag-Erling SmørgravThe default value for 1676e4a9863fSDag-Erling Smørgrav.Cm RekeyLimit 1677e4a9863fSDag-Erling Smørgravis 1678ca86bcf2SDag-Erling Smørgrav.Cm default none , 1679e4a9863fSDag-Erling Smørgravwhich means that rekeying is performed after the cipher's default amount 1680e4a9863fSDag-Erling Smørgravof data has been sent or received and no time based rekeying is done. 168138a52bd3SEd Maste.It Cm RequiredRSASize 168238a52bd3SEd MasteSpecifies the minimum RSA key size (in bits) that 168338a52bd3SEd Maste.Xr sshd 8 168438a52bd3SEd Mastewill accept. 168538a52bd3SEd MasteUser and host-based authentication keys smaller than this limit will be 168638a52bd3SEd Masterefused. 168738a52bd3SEd MasteThe default is 168838a52bd3SEd Maste.Cm 1024 168938a52bd3SEd Mastebits. 169038a52bd3SEd MasteNote that this limit may only be raised from the default. 1691b15c8340SDag-Erling Smørgrav.It Cm RevokedKeys 1692557f75e5SDag-Erling SmørgravSpecifies revoked public keys file, or 1693ca86bcf2SDag-Erling Smørgrav.Cm none 1694557f75e5SDag-Erling Smørgravto not use one. 1695b15c8340SDag-Erling SmørgravKeys listed in this file will be refused for public key authentication. 1696b15c8340SDag-Erling SmørgravNote that if this file is not readable, then public key authentication will 1697b15c8340SDag-Erling Smørgravbe refused for all users. 16986888a9beSDag-Erling SmørgravKeys may be specified as a text file, listing one public key per line, or as 16996888a9beSDag-Erling Smørgravan OpenSSH Key Revocation List (KRL) as generated by 17006888a9beSDag-Erling Smørgrav.Xr ssh-keygen 1 . 1701e4a9863fSDag-Erling SmørgravFor more information on KRLs, see the KEY REVOCATION LISTS section in 17026888a9beSDag-Erling Smørgrav.Xr ssh-keygen 1 . 170347dd1d1bSDag-Erling Smørgrav.It Cm RDomain 170447dd1d1bSDag-Erling SmørgravSpecifies an explicit routing domain that is applied after authentication 170547dd1d1bSDag-Erling Smørgravhas completed. 170619261079SEd MasteThe user session, as well as any forwarded or listening IP sockets, 170747dd1d1bSDag-Erling Smørgravwill be bound to this 170847dd1d1bSDag-Erling Smørgrav.Xr rdomain 4 . 170947dd1d1bSDag-Erling SmørgravIf the routing domain is set to 171047dd1d1bSDag-Erling Smørgrav.Cm \&%D , 171147dd1d1bSDag-Erling Smørgravthen the domain in which the incoming connection was received will be applied. 171219261079SEd Maste.It Cm SecurityKeyProvider 171319261079SEd MasteSpecifies a path to a library that will be used when loading 171419261079SEd MasteFIDO authenticator-hosted keys, overriding the default of using 171519261079SEd Mastethe built-in USB HID support. 1716190cef3dSDag-Erling Smørgrav.It Cm SetEnv 1717190cef3dSDag-Erling SmørgravSpecifies one or more environment variables to set in child sessions started 1718190cef3dSDag-Erling Smørgravby 1719190cef3dSDag-Erling Smørgrav.Xr sshd 8 1720190cef3dSDag-Erling Smørgravas 1721190cef3dSDag-Erling Smørgrav.Dq NAME=VALUE . 1722190cef3dSDag-Erling SmørgravThe environment value may be quoted (e.g. if it contains whitespace 1723190cef3dSDag-Erling Smørgravcharacters). 1724190cef3dSDag-Erling SmørgravEnvironment variables set by 1725190cef3dSDag-Erling Smørgrav.Cm SetEnv 1726190cef3dSDag-Erling Smørgravoverride the default environment and any variables specified by the user 1727190cef3dSDag-Erling Smørgravvia 1728190cef3dSDag-Erling Smørgrav.Cm AcceptEnv 1729190cef3dSDag-Erling Smørgravor 1730190cef3dSDag-Erling Smørgrav.Cm PermitUserEnvironment . 1731a0ee8cc6SDag-Erling Smørgrav.It Cm StreamLocalBindMask 1732a0ee8cc6SDag-Erling SmørgravSets the octal file creation mode mask 1733a0ee8cc6SDag-Erling Smørgrav.Pq umask 1734a0ee8cc6SDag-Erling Smørgravused when creating a Unix-domain socket file for local or remote 1735a0ee8cc6SDag-Erling Smørgravport forwarding. 1736a0ee8cc6SDag-Erling SmørgravThis option is only used for port forwarding to a Unix-domain socket file. 1737a0ee8cc6SDag-Erling Smørgrav.Pp 1738a0ee8cc6SDag-Erling SmørgravThe default value is 0177, which creates a Unix-domain socket file that is 1739a0ee8cc6SDag-Erling Smørgravreadable and writable only by the owner. 1740a0ee8cc6SDag-Erling SmørgravNote that not all operating systems honor the file mode on Unix-domain 1741a0ee8cc6SDag-Erling Smørgravsocket files. 1742a0ee8cc6SDag-Erling Smørgrav.It Cm StreamLocalBindUnlink 1743a0ee8cc6SDag-Erling SmørgravSpecifies whether to remove an existing Unix-domain socket file for local 1744a0ee8cc6SDag-Erling Smørgravor remote port forwarding before creating a new one. 1745a0ee8cc6SDag-Erling SmørgravIf the socket file already exists and 1746a0ee8cc6SDag-Erling Smørgrav.Cm StreamLocalBindUnlink 1747a0ee8cc6SDag-Erling Smørgravis not enabled, 1748a0ee8cc6SDag-Erling Smørgrav.Nm sshd 1749a0ee8cc6SDag-Erling Smørgravwill be unable to forward the port to the Unix-domain socket file. 1750a0ee8cc6SDag-Erling SmørgravThis option is only used for port forwarding to a Unix-domain socket file. 1751a0ee8cc6SDag-Erling Smørgrav.Pp 1752a0ee8cc6SDag-Erling SmørgravThe argument must be 1753ca86bcf2SDag-Erling Smørgrav.Cm yes 1754a0ee8cc6SDag-Erling Smørgravor 1755ca86bcf2SDag-Erling Smørgrav.Cm no . 1756a0ee8cc6SDag-Erling SmørgravThe default is 1757ca86bcf2SDag-Erling Smørgrav.Cm no . 1758545d5ecaSDag-Erling Smørgrav.It Cm StrictModes 1759545d5ecaSDag-Erling SmørgravSpecifies whether 1760333ee039SDag-Erling Smørgrav.Xr sshd 8 1761545d5ecaSDag-Erling Smørgravshould check file modes and ownership of the 1762545d5ecaSDag-Erling Smørgravuser's files and home directory before accepting login. 1763545d5ecaSDag-Erling SmørgravThis is normally desirable because novices sometimes accidentally leave their 1764545d5ecaSDag-Erling Smørgravdirectory or files world-writable. 1765545d5ecaSDag-Erling SmørgravThe default is 1766ca86bcf2SDag-Erling Smørgrav.Cm yes . 1767b15c8340SDag-Erling SmørgravNote that this does not apply to 1768b15c8340SDag-Erling Smørgrav.Cm ChrootDirectory , 1769b15c8340SDag-Erling Smørgravwhose permissions and ownership are checked unconditionally. 1770545d5ecaSDag-Erling Smørgrav.It Cm Subsystem 1771333ee039SDag-Erling SmørgravConfigures an external subsystem (e.g. file transfer daemon). 1772333ee039SDag-Erling SmørgravArguments should be a subsystem name and a command (with optional arguments) 1773333ee039SDag-Erling Smørgravto execute upon subsystem request. 1774d4af9e69SDag-Erling Smørgrav.Pp 1775545d5ecaSDag-Erling SmørgravThe command 1776ca86bcf2SDag-Erling Smørgrav.Cm sftp-server 1777ca86bcf2SDag-Erling Smørgravimplements the SFTP file transfer subsystem. 1778d4af9e69SDag-Erling Smørgrav.Pp 1779d4af9e69SDag-Erling SmørgravAlternately the name 1780ca86bcf2SDag-Erling Smørgrav.Cm internal-sftp 1781ca86bcf2SDag-Erling Smørgravimplements an in-process SFTP server. 1782d4af9e69SDag-Erling SmørgravThis may simplify configurations using 1783d4af9e69SDag-Erling Smørgrav.Cm ChrootDirectory 1784d4af9e69SDag-Erling Smørgravto force a different filesystem root on clients. 1785d4af9e69SDag-Erling Smørgrav.Pp 1786545d5ecaSDag-Erling SmørgravBy default no subsystems are defined. 1787545d5ecaSDag-Erling Smørgrav.It Cm SyslogFacility 1788545d5ecaSDag-Erling SmørgravGives the facility code that is used when logging messages from 1789333ee039SDag-Erling Smørgrav.Xr sshd 8 . 1790545d5ecaSDag-Erling SmørgravThe possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, 1791545d5ecaSDag-Erling SmørgravLOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. 1792545d5ecaSDag-Erling SmørgravThe default is AUTH. 17931ec0d754SDag-Erling Smørgrav.It Cm TCPKeepAlive 17941ec0d754SDag-Erling SmørgravSpecifies whether the system should send TCP keepalive messages to the 17951ec0d754SDag-Erling Smørgravother side. 17961ec0d754SDag-Erling SmørgravIf they are sent, death of the connection or crash of one 17971ec0d754SDag-Erling Smørgravof the machines will be properly noticed. 17981ec0d754SDag-Erling SmørgravHowever, this means that 17991ec0d754SDag-Erling Smørgravconnections will die if the route is down temporarily, and some people 18001ec0d754SDag-Erling Smørgravfind it annoying. 18011ec0d754SDag-Erling SmørgravOn the other hand, if TCP keepalives are not sent, 18021ec0d754SDag-Erling Smørgravsessions may hang indefinitely on the server, leaving 1803ca86bcf2SDag-Erling Smørgrav.Qq ghost 18041ec0d754SDag-Erling Smørgravusers and consuming server resources. 18051ec0d754SDag-Erling Smørgrav.Pp 18061ec0d754SDag-Erling SmørgravThe default is 1807ca86bcf2SDag-Erling Smørgrav.Cm yes 18081ec0d754SDag-Erling Smørgrav(to send TCP keepalive messages), and the server will notice 18091ec0d754SDag-Erling Smørgravif the network goes down or the client host crashes. 18101ec0d754SDag-Erling SmørgravThis avoids infinitely hanging sessions. 18111ec0d754SDag-Erling Smørgrav.Pp 18121ec0d754SDag-Erling SmørgravTo disable TCP keepalive messages, the value should be set to 1813ca86bcf2SDag-Erling Smørgrav.Cm no . 1814b15c8340SDag-Erling Smørgrav.It Cm TrustedUserCAKeys 1815b15c8340SDag-Erling SmørgravSpecifies a file containing public keys of certificate authorities that are 1816557f75e5SDag-Erling Smørgravtrusted to sign user certificates for authentication, or 1817ca86bcf2SDag-Erling Smørgrav.Cm none 1818557f75e5SDag-Erling Smørgravto not use one. 1819b15c8340SDag-Erling SmørgravKeys are listed one per line; empty lines and comments starting with 1820b15c8340SDag-Erling Smørgrav.Ql # 1821b15c8340SDag-Erling Smørgravare allowed. 1822b15c8340SDag-Erling SmørgravIf a certificate is presented for authentication and has its signing CA key 1823b15c8340SDag-Erling Smørgravlisted in this file, then it may be used for authentication for any user 1824b15c8340SDag-Erling Smørgravlisted in the certificate's principals list. 1825b15c8340SDag-Erling SmørgravNote that certificates that lack a list of principals will not be permitted 1826b15c8340SDag-Erling Smørgravfor authentication using 1827b15c8340SDag-Erling Smørgrav.Cm TrustedUserCAKeys . 1828e4a9863fSDag-Erling SmørgravFor more details on certificates, see the CERTIFICATES section in 1829b15c8340SDag-Erling Smørgrav.Xr ssh-keygen 1 . 1830*f374ba41SEd Maste.It Cm UnusedConnectionTimeout 1831*f374ba41SEd MasteSpecifies whether and how quickly 1832*f374ba41SEd Maste.Xr sshd 8 1833*f374ba41SEd Masteshould close client connections with no open channels. 1834*f374ba41SEd MasteOpen channels include active shell, command execution or subsystem 1835*f374ba41SEd Mastesessions, connected network, socket, agent or X11 forwardings. 1836*f374ba41SEd MasteForwarding listeners, such as those from the 1837*f374ba41SEd Maste.Xr ssh 1 1838*f374ba41SEd Maste.Fl R 1839*f374ba41SEd Masteflag, are not considered as open channels and do not prevent the timeout. 1840*f374ba41SEd MasteThe timeout value 1841*f374ba41SEd Masteis specified in seconds or may use any of the units documented in the 1842*f374ba41SEd Maste.Sx TIME FORMATS 1843*f374ba41SEd Mastesection. 1844*f374ba41SEd Maste.Pp 1845*f374ba41SEd MasteNote that this timeout starts when the client connection completes 1846*f374ba41SEd Masteuser authentication but before the client has an opportunity to open any 1847*f374ba41SEd Mastechannels. 1848*f374ba41SEd MasteCaution should be used when using short timeout values, as they may not 1849*f374ba41SEd Masteprovide sufficient time for the client to request and open its channels 1850*f374ba41SEd Mastebefore terminating the connection. 1851*f374ba41SEd Maste.Pp 1852*f374ba41SEd MasteThe default 1853*f374ba41SEd Maste.Cm none 1854*f374ba41SEd Masteis to never expire connections for having no open channels. 1855*f374ba41SEd MasteThis option may be useful in conjunction with 1856*f374ba41SEd Maste.Cm ChannelTimeout . 1857b2af61ecSKurt Lidl.It Cm UseBlacklist 1858b2af61ecSKurt LidlSpecifies whether 1859b2af61ecSKurt Lidl.Xr sshd 8 1860b2af61ecSKurt Lidlattempts to send authentication success and failure messages 1861b2af61ecSKurt Lidlto the 1862b2af61ecSKurt Lidl.Xr blacklistd 8 1863b2af61ecSKurt Lidldaemon. 1864b2af61ecSKurt LidlThe default is 1865ca86bcf2SDag-Erling Smørgrav.Cm no . 1866e426c743SEd MasteFor forward compatibility with an upcoming 1867e426c743SEd Maste.Xr blacklistd 1868e426c743SEd Masterename, the 1869e426c743SEd Maste.Cm UseBlocklist 1870e426c743SEd Mastealias can be used instead. 1871cf2b5f3bSDag-Erling Smørgrav.It Cm UseDNS 1872cf2b5f3bSDag-Erling SmørgravSpecifies whether 1873333ee039SDag-Erling Smørgrav.Xr sshd 8 1874eccfee6eSDag-Erling Smørgravshould look up the remote host name, and to check that 1875cf2b5f3bSDag-Erling Smørgravthe resolved host name for the remote IP address maps back to the 1876cf2b5f3bSDag-Erling Smørgravvery same IP address. 1877eccfee6eSDag-Erling Smørgrav.Pp 1878eccfee6eSDag-Erling SmørgravIf this option is set to 1879ca86bcf2SDag-Erling Smørgrav.Cm no , 1880c4cd1fa4SDag-Erling Smørgravthen only addresses and not host names may be used in 1881076ad2f8SDag-Erling Smørgrav.Pa ~/.ssh/authorized_keys 1882eccfee6eSDag-Erling Smørgrav.Cm from 1883eccfee6eSDag-Erling Smørgravand 1884fc1ba28aSDag-Erling Smørgrav.Nm 1885eccfee6eSDag-Erling Smørgrav.Cm Match 1886eccfee6eSDag-Erling Smørgrav.Cm Host 1887eccfee6eSDag-Erling Smørgravdirectives. 1888c4cd1fa4SDag-Erling SmørgravThe default is 1889c4cd1fa4SDag-Erling Smørgrav.Dq yes . 1890cf2b5f3bSDag-Erling Smørgrav.It Cm UsePAM 189121e764dfSDag-Erling SmørgravEnables the Pluggable Authentication Module interface. 189221e764dfSDag-Erling SmørgravIf set to 1893ca86bcf2SDag-Erling Smørgrav.Cm yes 189421e764dfSDag-Erling Smørgravthis will enable PAM authentication using 189519261079SEd Maste.Cm KbdInteractiveAuthentication 1896333ee039SDag-Erling Smørgravand 1897333ee039SDag-Erling Smørgrav.Cm PasswordAuthentication 1898333ee039SDag-Erling Smørgravin addition to PAM account and session module processing for all 1899333ee039SDag-Erling Smørgravauthentication types. 190021e764dfSDag-Erling Smørgrav.Pp 190119261079SEd MasteBecause PAM keyboard-interactive authentication usually serves an equivalent 190221e764dfSDag-Erling Smørgravrole to password authentication, you should disable either 190321e764dfSDag-Erling Smørgrav.Cm PasswordAuthentication 190421e764dfSDag-Erling Smørgravor 190519261079SEd Maste.Cm KbdInteractiveAuthentication . 190621e764dfSDag-Erling Smørgrav.Pp 190721e764dfSDag-Erling SmørgravIf 190821e764dfSDag-Erling Smørgrav.Cm UsePAM 190921e764dfSDag-Erling Smørgravis enabled, you will not be able to run 191021e764dfSDag-Erling Smørgrav.Xr sshd 8 191121e764dfSDag-Erling Smørgravas a non-root user. 191221e764dfSDag-Erling SmørgravThe default is 1913ca86bcf2SDag-Erling Smørgrav.Cm yes . 191435d4ccfbSDag-Erling Smørgrav.It Cm VersionAddendum 1915462c32cbSDag-Erling SmørgravOptionally specifies additional text to append to the SSH protocol banner 1916462c32cbSDag-Erling Smørgravsent by the server upon connection. 1917ee8aeb14SDag-Erling SmørgravThe default is 1918*f374ba41SEd Maste.Qq FreeBSD-20230205 . 19196e571081SBryan DreweryThe value 1920ca86bcf2SDag-Erling Smørgrav.Cm none 19216e571081SBryan Drewerymay be used to disable this. 1922545d5ecaSDag-Erling Smørgrav.It Cm X11DisplayOffset 1923545d5ecaSDag-Erling SmørgravSpecifies the first display number available for 1924333ee039SDag-Erling Smørgrav.Xr sshd 8 Ns 's 1925545d5ecaSDag-Erling SmørgravX11 forwarding. 1926333ee039SDag-Erling SmørgravThis prevents sshd from interfering with real X11 servers. 1927545d5ecaSDag-Erling SmørgravThe default is 10. 1928545d5ecaSDag-Erling Smørgrav.It Cm X11Forwarding 1929545d5ecaSDag-Erling SmørgravSpecifies whether X11 forwarding is permitted. 1930f388f5efSDag-Erling SmørgravThe argument must be 1931ca86bcf2SDag-Erling Smørgrav.Cm yes 1932f388f5efSDag-Erling Smørgravor 1933ca86bcf2SDag-Erling Smørgrav.Cm no . 1934545d5ecaSDag-Erling SmørgravThe default is 1935ca86bcf2SDag-Erling Smørgrav.Cm yes . 1936f388f5efSDag-Erling Smørgrav.Pp 1937f388f5efSDag-Erling SmørgravWhen X11 forwarding is enabled, there may be additional exposure to 1938f388f5efSDag-Erling Smørgravthe server and to client displays if the 1939333ee039SDag-Erling Smørgrav.Xr sshd 8 1940f388f5efSDag-Erling Smørgravproxy display is configured to listen on the wildcard address (see 1941ca86bcf2SDag-Erling Smørgrav.Cm X11UseLocalhost ) , 1942ca86bcf2SDag-Erling Smørgravthough this is not the default. 1943f388f5efSDag-Erling SmørgravAdditionally, the authentication spoofing and authentication data 1944f388f5efSDag-Erling Smørgravverification and substitution occur on the client side. 1945f388f5efSDag-Erling SmørgravThe security risk of using X11 forwarding is that the client's X11 1946333ee039SDag-Erling Smørgravdisplay server may be exposed to attack when the SSH client requests 1947f388f5efSDag-Erling Smørgravforwarding (see the warnings for 1948f388f5efSDag-Erling Smørgrav.Cm ForwardX11 1949f388f5efSDag-Erling Smørgravin 1950f388f5efSDag-Erling Smørgrav.Xr ssh_config 5 ) . 1951f388f5efSDag-Erling SmørgravA system administrator may have a stance in which they want to 1952f388f5efSDag-Erling Smørgravprotect clients that may expose themselves to attack by unwittingly 1953f388f5efSDag-Erling Smørgravrequesting X11 forwarding, which can warrant a 1954ca86bcf2SDag-Erling Smørgrav.Cm no 1955f388f5efSDag-Erling Smørgravsetting. 1956f388f5efSDag-Erling Smørgrav.Pp 1957f388f5efSDag-Erling SmørgravNote that disabling X11 forwarding does not prevent users from 1958f388f5efSDag-Erling Smørgravforwarding X11 traffic, as users can always install their own forwarders. 1959545d5ecaSDag-Erling Smørgrav.It Cm X11UseLocalhost 1960545d5ecaSDag-Erling SmørgravSpecifies whether 1961333ee039SDag-Erling Smørgrav.Xr sshd 8 1962545d5ecaSDag-Erling Smørgravshould bind the X11 forwarding server to the loopback address or to 1963e73e9afaSDag-Erling Smørgravthe wildcard address. 1964e73e9afaSDag-Erling SmørgravBy default, 1965333ee039SDag-Erling Smørgravsshd binds the forwarding server to the loopback address and sets the 1966545d5ecaSDag-Erling Smørgravhostname part of the 1967545d5ecaSDag-Erling Smørgrav.Ev DISPLAY 1968545d5ecaSDag-Erling Smørgravenvironment variable to 1969ca86bcf2SDag-Erling Smørgrav.Cm localhost . 1970f388f5efSDag-Erling SmørgravThis prevents remote hosts from connecting to the proxy display. 1971545d5ecaSDag-Erling SmørgravHowever, some older X11 clients may not function with this 1972545d5ecaSDag-Erling Smørgravconfiguration. 1973545d5ecaSDag-Erling Smørgrav.Cm X11UseLocalhost 1974545d5ecaSDag-Erling Smørgravmay be set to 1975ca86bcf2SDag-Erling Smørgrav.Cm no 1976545d5ecaSDag-Erling Smørgravto specify that the forwarding server should be bound to the wildcard 1977545d5ecaSDag-Erling Smørgravaddress. 1978545d5ecaSDag-Erling SmørgravThe argument must be 1979ca86bcf2SDag-Erling Smørgrav.Cm yes 1980545d5ecaSDag-Erling Smørgravor 1981ca86bcf2SDag-Erling Smørgrav.Cm no . 1982545d5ecaSDag-Erling SmørgravThe default is 1983ca86bcf2SDag-Erling Smørgrav.Cm yes . 1984545d5ecaSDag-Erling Smørgrav.It Cm XAuthLocation 1985f388f5efSDag-Erling SmørgravSpecifies the full pathname of the 1986545d5ecaSDag-Erling Smørgrav.Xr xauth 1 1987557f75e5SDag-Erling Smørgravprogram, or 1988ca86bcf2SDag-Erling Smørgrav.Cm none 1989557f75e5SDag-Erling Smørgravto not use one. 1990545d5ecaSDag-Erling SmørgravThe default is 1991ffea3f5aSDag-Erling Smørgrav.Pa /usr/local/bin/xauth . 1992545d5ecaSDag-Erling Smørgrav.El 1993333ee039SDag-Erling Smørgrav.Sh TIME FORMATS 1994333ee039SDag-Erling Smørgrav.Xr sshd 8 1995545d5ecaSDag-Erling Smørgravcommand-line arguments and configuration file options that specify time 1996545d5ecaSDag-Erling Smørgravmay be expressed using a sequence of the form: 1997545d5ecaSDag-Erling Smørgrav.Sm off 1998f388f5efSDag-Erling Smørgrav.Ar time Op Ar qualifier , 1999545d5ecaSDag-Erling Smørgrav.Sm on 2000545d5ecaSDag-Erling Smørgravwhere 2001545d5ecaSDag-Erling Smørgrav.Ar time 2002545d5ecaSDag-Erling Smørgravis a positive integer value and 2003545d5ecaSDag-Erling Smørgrav.Ar qualifier 2004545d5ecaSDag-Erling Smørgravis one of the following: 2005545d5ecaSDag-Erling Smørgrav.Pp 2006545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds -compact -offset indent 2007333ee039SDag-Erling Smørgrav.It Aq Cm none 2008545d5ecaSDag-Erling Smørgravseconds 2009545d5ecaSDag-Erling Smørgrav.It Cm s | Cm S 2010545d5ecaSDag-Erling Smørgravseconds 2011545d5ecaSDag-Erling Smørgrav.It Cm m | Cm M 2012545d5ecaSDag-Erling Smørgravminutes 2013545d5ecaSDag-Erling Smørgrav.It Cm h | Cm H 2014545d5ecaSDag-Erling Smørgravhours 2015545d5ecaSDag-Erling Smørgrav.It Cm d | Cm D 2016545d5ecaSDag-Erling Smørgravdays 2017545d5ecaSDag-Erling Smørgrav.It Cm w | Cm W 2018545d5ecaSDag-Erling Smørgravweeks 2019545d5ecaSDag-Erling Smørgrav.El 2020545d5ecaSDag-Erling Smørgrav.Pp 2021545d5ecaSDag-Erling SmørgravEach member of the sequence is added together to calculate 2022545d5ecaSDag-Erling Smørgravthe total time value. 2023545d5ecaSDag-Erling Smørgrav.Pp 2024545d5ecaSDag-Erling SmørgravTime format examples: 2025545d5ecaSDag-Erling Smørgrav.Pp 2026545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds -compact -offset indent 2027545d5ecaSDag-Erling Smørgrav.It 600 2028545d5ecaSDag-Erling Smørgrav600 seconds (10 minutes) 2029545d5ecaSDag-Erling Smørgrav.It 10m 2030545d5ecaSDag-Erling Smørgrav10 minutes 2031545d5ecaSDag-Erling Smørgrav.It 1h30m 2032545d5ecaSDag-Erling Smørgrav1 hour 30 minutes (90 minutes) 2033545d5ecaSDag-Erling Smørgrav.El 2034ca86bcf2SDag-Erling Smørgrav.Sh TOKENS 2035ca86bcf2SDag-Erling SmørgravArguments to some keywords can make use of tokens, 2036ca86bcf2SDag-Erling Smørgravwhich are expanded at runtime: 2037ca86bcf2SDag-Erling Smørgrav.Pp 2038ca86bcf2SDag-Erling Smørgrav.Bl -tag -width XXXX -offset indent -compact 2039ca86bcf2SDag-Erling Smørgrav.It %% 2040ca86bcf2SDag-Erling SmørgravA literal 2041ca86bcf2SDag-Erling Smørgrav.Sq % . 204247dd1d1bSDag-Erling Smørgrav.It \&%D 204347dd1d1bSDag-Erling SmørgravThe routing domain in which the incoming connection was received. 2044ca86bcf2SDag-Erling Smørgrav.It %F 2045ca86bcf2SDag-Erling SmørgravThe fingerprint of the CA key. 2046ca86bcf2SDag-Erling Smørgrav.It %f 2047ca86bcf2SDag-Erling SmørgravThe fingerprint of the key or certificate. 2048ca86bcf2SDag-Erling Smørgrav.It %h 2049ca86bcf2SDag-Erling SmørgravThe home directory of the user. 2050ca86bcf2SDag-Erling Smørgrav.It %i 2051ca86bcf2SDag-Erling SmørgravThe key ID in the certificate. 2052ca86bcf2SDag-Erling Smørgrav.It %K 2053ca86bcf2SDag-Erling SmørgravThe base64-encoded CA key. 2054ca86bcf2SDag-Erling Smørgrav.It %k 2055ca86bcf2SDag-Erling SmørgravThe base64-encoded key or certificate for authentication. 2056ca86bcf2SDag-Erling Smørgrav.It %s 2057ca86bcf2SDag-Erling SmørgravThe serial number of the certificate. 2058ca86bcf2SDag-Erling Smørgrav.It \&%T 2059ca86bcf2SDag-Erling SmørgravThe type of the CA key. 2060ca86bcf2SDag-Erling Smørgrav.It %t 2061ca86bcf2SDag-Erling SmørgravThe key or certificate type. 2062190cef3dSDag-Erling Smørgrav.It \&%U 2063190cef3dSDag-Erling SmørgravThe numeric user ID of the target user. 2064ca86bcf2SDag-Erling Smørgrav.It %u 2065ca86bcf2SDag-Erling SmørgravThe username. 2066ca86bcf2SDag-Erling Smørgrav.El 2067ca86bcf2SDag-Erling Smørgrav.Pp 2068ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysCommand 2069190cef3dSDag-Erling Smørgravaccepts the tokens %%, %f, %h, %k, %t, %U, and %u. 2070ca86bcf2SDag-Erling Smørgrav.Pp 2071ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedKeysFile 2072190cef3dSDag-Erling Smørgravaccepts the tokens %%, %h, %U, and %u. 2073ca86bcf2SDag-Erling Smørgrav.Pp 2074ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsCommand 2075190cef3dSDag-Erling Smørgravaccepts the tokens %%, %F, %f, %h, %i, %K, %k, %s, %T, %t, %U, and %u. 2076ca86bcf2SDag-Erling Smørgrav.Pp 2077ca86bcf2SDag-Erling Smørgrav.Cm AuthorizedPrincipalsFile 2078190cef3dSDag-Erling Smørgravaccepts the tokens %%, %h, %U, and %u. 2079ca86bcf2SDag-Erling Smørgrav.Pp 2080ca86bcf2SDag-Erling Smørgrav.Cm ChrootDirectory 2081190cef3dSDag-Erling Smørgravaccepts the tokens %%, %h, %U, and %u. 208247dd1d1bSDag-Erling Smørgrav.Pp 208347dd1d1bSDag-Erling Smørgrav.Cm RoutingDomain 208447dd1d1bSDag-Erling Smørgravaccepts the token %D. 2085545d5ecaSDag-Erling Smørgrav.Sh FILES 2086545d5ecaSDag-Erling Smørgrav.Bl -tag -width Ds 2087545d5ecaSDag-Erling Smørgrav.It Pa /etc/ssh/sshd_config 2088545d5ecaSDag-Erling SmørgravContains configuration data for 2089333ee039SDag-Erling Smørgrav.Xr sshd 8 . 2090545d5ecaSDag-Erling SmørgravThis file should be writable by root only, but it is recommended 2091545d5ecaSDag-Erling Smørgrav(though not necessary) that it be world-readable. 2092545d5ecaSDag-Erling Smørgrav.El 2093cf2b5f3bSDag-Erling Smørgrav.Sh SEE ALSO 2094ca86bcf2SDag-Erling Smørgrav.Xr sftp-server 8 , 2095cf2b5f3bSDag-Erling Smørgrav.Xr sshd 8 2096545d5ecaSDag-Erling Smørgrav.Sh AUTHORS 2097ca86bcf2SDag-Erling Smørgrav.An -nosplit 2098545d5ecaSDag-Erling SmørgravOpenSSH is a derivative of the original and free 2099ca86bcf2SDag-Erling Smørgravssh 1.2.12 release by 2100ca86bcf2SDag-Erling Smørgrav.An Tatu Ylonen . 2101ca86bcf2SDag-Erling Smørgrav.An Aaron Campbell , Bob Beck , Markus Friedl , Niels Provos , 2102ca86bcf2SDag-Erling Smørgrav.An Theo de Raadt 2103ca86bcf2SDag-Erling Smørgravand 2104ca86bcf2SDag-Erling Smørgrav.An Dug Song 2105545d5ecaSDag-Erling Smørgravremoved many bugs, re-added newer features and 2106545d5ecaSDag-Erling Smørgravcreated OpenSSH. 2107ca86bcf2SDag-Erling Smørgrav.An Markus Friedl 2108ca86bcf2SDag-Erling Smørgravcontributed the support for SSH protocol versions 1.5 and 2.0. 2109ca86bcf2SDag-Erling Smørgrav.An Niels Provos 2110ca86bcf2SDag-Erling Smørgravand 2111ca86bcf2SDag-Erling Smørgrav.An Markus Friedl 2112ca86bcf2SDag-Erling Smørgravcontributed support for privilege separation. 2113